windows server 2008 for dummies (for dummies (computer tech))

by Ed Tittel and Justin Korelc

Windows Server®

2008FOR

DUMmIES‰

01_180433 ffirs.qxp 2/25/08 7:12 PM Page i

Windows Server® 2008 For Dummies®

Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774

www.wiley.com

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writtenpermission of the Publisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for theRest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the UnitedStates and other countries, and may not be used without written permission. Microsoft and WindowsServer are registered trademarks of Microsoft Corporation in the United States and/or other countries. Allother trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associatedwith any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REP-RESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THECONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUTLIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CRE-ATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CON-TAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THEUNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OROTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF ACOMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THEAUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATIONOR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FUR-THER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THEINFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAYMAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORKMAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN ITIS READ.

For general information on our other products and services, please contact our Customer CareDepartment within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.

For technical support, please visit www.wiley.com/techsupport.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.

Library of Congress Control Number: 2008922653

ISBN: 978-0-470-18043-3

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

01_180433 ffirs.qxp 2/25/08 7:12 PM Page ii

by Ed Tittel and Justin Korelc

Windows Server®

2008FOR

DUMmIES‰

01_180433 ffirs.qxp 2/25/08 7:12 PM Page i

Windows Server® 2008 For Dummies®

Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774

www.wiley.com

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writtenpermission of the Publisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for theRest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the UnitedStates and other countries, and may not be used without written permission. Microsoft and WindowsServer are registered trademarks of Microsoft Corporation in the United States and/or other countries. Allother trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associatedwith any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REP-RESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THECONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUTLIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CRE-ATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CON-TAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THEUNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OROTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF ACOMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THEAUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATIONOR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FUR-THER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THEINFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAYMAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORKMAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN ITIS READ.

For general information on our other products and services, please contact our Customer CareDepartment within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.

For technical support, please visit www.wiley.com/techsupport.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.

Library of Congress Control Number: 2008922653

ISBN: 978-0-470-18043-3

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

01_180433 ffirs.qxp 2/25/08 7:12 PM Page ii

http://www.wiley.com/go/permissions

http://www.wiley.com/

http://www.wiley.com/techsupport

About the AuthorsEd Tittel is an increasingly grizzled, if not wizened, veteran of the publishinggame, with over a thousand magazine articles and more than 140 books to hiscredit. Ed has worked on numerous For Dummies books, including HTML 4For Dummies, 5th Edition (with Mary Burmeister) and XML For Dummies, 4thEdition (with Lucinda Dykes), as well as books on many other topics. Edruns a small professional IT practice in Round Rock, TX, that specializes innetwork-oriented training, writing, and consulting. When Ed’s not busy writ-ing, he likes to spend time with his wife, Dina, and son, Gregory. He also likesto shoot pool, cook, and read sci-fi. You can reach Ed by e-mail at [email protected] or through his Web page at www.edtittel.com.

Justin Korelc has been working with computers and technology for over 15years. Justin is an independent consultant working as a writer and trainer. Hiswork focuses on security, Windows and Linux operating systems, and PChardware. Justin has coauthored several books on media PCs, including Buildthe Ultimate Home Theater PC (an ExtremeTech BuildIt Guide) and HackingMythTV (an ExtremeTech title). He has developed online training materials oninformation security, PC tune-ups, file transfer technologies, and more.Justin’s computer knowledge is self-taught and based on nearly 20 years ofhands-on experience. He spends his spare time practicing the fine art ofbricolage, playing with computers, and improving his culinary skills. You canreach Justin by e-mail at [email protected].

01_180433 ffirs.qxp 2/25/08 7:12 PM Page iii

01_180433 ffirs.qxp 2/25/08 7:12 PM Page iv

Authors’ AcknowledgmentsAs always, thanks to my agent, Carole McClendon at Waterside Productions,for hooking me up with For Dummies in the first place. Has it really been 15years now? On the Wiley side, special thanks to Katie Feltman, Kim Darosett,and Heidi Unger. I’d also like to thank Justin Korelc for rolling up his sleevesand digging into the former Longhorn Server as far back as Beta 1. Personally,I want to thank my Mom and Dad for making my career both possible andattainable. Finally, I want to thank my wife, Dina Kutueva, for coming into mylife rather later than sooner, and for giving me our wonderful son, Gregory.

—ET

Thanks to my coauthor, Ed Tittel, for including me in this book.

—JPK

01_180433 ffirs.qxp 2/25/08 7:12 PM Page v

Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.

Some of the people who helped bring this book to market include the following:

Acquisitions and Editorial

Project Editor: Kim Darosett

Senior Acquisitions Editor: Katie Feltman

Copy Editor: Heidi Unger

Technical Editor: Christian Mayoros

Editorial Manager: Leah Cameron

Editorial Assistant: Amanda Foxworth

Sr. Editorial Assistant: Cherie Case

Cartoons: Rich Tennant(www.the5thwave.com)

Composition Services

Project Coordinator: Lynsey Stanford

Layout and Graphics: Stacie Brooks, Reuben W. Davis, Andrea Hornberger,Shane Johnson, Christine Williams

Proofreaders: Laura Albert, BroccoliInformation Management

Indexer: Broccoli Information Management

Publishing and Editorial for Technology Dummies

Richard Swadley, Vice President and Executive Group Publisher

Andy Cummings, Vice President and Publisher

Mary Bednarek, Executive Acquisitions Director

Mary C. Corder, Editorial Director

Publishing for Consumer Dummies

Diane Graves Steele, Vice President and Publisher

Joyce Pepple, Acquisitions Director

Composition Services

Gerry Fahey, Vice President of Production Services

Debbie Stailey, Director of Composition Services

01_180433 ffirs.qxp 2/25/08 7:12 PM Page vi

Contents at a GlanceIntroduction .................................................................1

Part I: Servers at Your Service .......................................7Chapter 1: Making Windows Server 2008 Serve You .....................................................9Chapter 2: Server Networking Principles......................................................................21Chapter 3: Building Your Network..................................................................................39Chapter 4: Hooking Up Your Network............................................................................57

Part II: Servers, Start Your Engines ..............................71Chapter 5: Ready, Set, Install!..........................................................................................73Chapter 6: Configuring Connections to the Universe ..................................................93Chapter 7: Doing the Directory Thing .........................................................................115Chapter 8: Working with Active Directory, Domains, and Trusts ............................137Chapter 9: Printing on the Network .............................................................................155Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat ..............................175

Part III: Running Your Network .................................199Chapter 11: Managing Users with Active Directory Users and Computers ............201Chapter 12: Managing Shares, Permissions, and More..............................................227Chapter 13: Preparing for That Rainy Day ..................................................................241Chapter 14: Network Security Management ...............................................................263

Part IV: Serve It Yourself...........................................281Chapter 15: How to Be a DIY Guru ...............................................................................283Chapter 16: Servers the Intel Way ................................................................................297Chapter 17: Servers the AMD Way ...............................................................................315Chapter 18: Taking Care of Your Own Issues ..............................................................331

Part V: The Part of Tens ............................................351Chapter 19: Ten Tips for Installation and Configuration...........................................353Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 ............363

Part VI: Appendixes ..................................................371Appendix A: Server Components and Technologies .................................................373Appendix B: Windows Troubleshooting Resources...................................................385

Index .......................................................................391

02_180433 ftoc.qxp 2/25/08 7:13 PM Page vii

02_180433 ftoc.qxp 2/25/08 7:13 PM Page viii

Table of ContentsIntroduction..................................................................1

About This Book...............................................................................................1How to Use This Book .....................................................................................2Foolish Assumptions .......................................................................................3How This Book Is Organized...........................................................................3

Part I: Servers at Your Service ..............................................................3Part II: Servers, Start Your Engines ......................................................4Part III: Running Your Network .............................................................4Part IV: Serve It Yourself........................................................................4Part V: The Part of Tens.........................................................................5Part VI: Appendixes................................................................................5Bonus Chapter ........................................................................................5

Icons Used in This Book..................................................................................5Where to Go from Here....................................................................................6

Part I: Servers at Your Service ........................................7

Chapter 1: Making Windows Server 2008 Serve You . . . . . . . . . . . . . . .9Any Server Must Do This ..............................................................................10Choosing Windows Server 2008 ...................................................................11

Meeting the Windows Server 2008 family .........................................11Why use Windows Server 2008? .........................................................12

Exploring Windows Server 2008 Networking Features .............................14Providing services through your server ...........................................14Managing the user experience............................................................16Keeping it all safe and secure .............................................................16

The Very Basics of Windows Server 2008 ...................................................18

Chapter 2: Server Networking Principles . . . . . . . . . . . . . . . . . . . . . . . .21Understanding the Differences between Server and Client

Networking ..................................................................................................21More Is Better: Multiple NICs (No Cuts)......................................................23Windows Server 2008 Enhances Networking .............................................24

Next Generation TCP/IP stack ............................................................24Offloading protocol processing ..........................................................27TCP Chimney ........................................................................................28Changes to NDIS ...................................................................................28

Networking Is About Services, Too..............................................................30What clients want.................................................................................30What enterprises want ........................................................................35

02_180433 ftoc.qxp 2/25/08 7:13 PM Page ix

Chapter 3: Building Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Developing a Network Implementation Plan ..............................................39Understanding Network Design’s Barest Basics ........................................42Deciding Where Networking Devices Must Go...........................................45Consider Hiring an Expert to Install Cable and Equipment......................46Always Check Your Work!..............................................................................47Evaluating Your Network’s Performance and Usefulness .........................47Creating a Network Map................................................................................48

It isn’t a map; it’s the whole enchilada ..............................................49Capturing data for your network map ...............................................49Taking stock of your network .............................................................50When the network changes, so does the map! .................................52

Network Interfaces: Built-ins versus Extender Cards................................52Don’t knock your NIC...........................................................................53Don’t stub your TOE (TCP Offload Engine) ......................................54The ever-popular ping test..................................................................55

Chapter 4: Hooking Up Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . .57Make a Network Medium Happy! .................................................................57

Fiber and coax make a seriously twisted pair ..................................60Wireless is media, too! .........................................................................63A final note about cabling ...................................................................64

Raising the Bandwidth Ceiling......................................................................65100 Mbps Ethernet ...............................................................................67Gigabit Ethernet....................................................................................68

The Backbone’s Connected to . . . Everything Else!...................................69

Part II: Servers, Start Your Engines...............................71

Chapter 5: Ready, Set, Install! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Planning the Installation: Upgrade or New? ...............................................73

Handling preinstallation tasks ............................................................75Preparing for the battle .......................................................................77

Got Enough Horsepower? .............................................................................79Step by Step: Installing Windows Server 2008............................................82

Server: Are you ready?.........................................................................82Windows Server 2008 Setup: A walk-through ...................................82

Installing from an Existing OS.......................................................................85Installing across a Network...........................................................................87Installing Remotely ........................................................................................88Working through Post-Installation Stress Disorder ...................................88

Understanding Activation ...................................................................88Dealing with service packs..................................................................89Using Automated System Recovery...................................................90

Oops, My Installation Didn’t Take................................................................91Exploring Automated Installation ................................................................92

Windows Server 2008 For Dummies x

02_180433 ftoc.qxp 2/25/08 7:13 PM Page x

Chapter 6: Configuring Connections to the Universe . . . . . . . . . . . . . .93Completing the Initial Configuration Tasks ................................................94Server Manager Configuration .....................................................................95

Getting to know the Server Manager console...................................96Establishing directory trees and forests .........................................103Getting the word out ..........................................................................108Organizing the neighborhood...........................................................109

Establishing Remote Connections .............................................................111Getting connected ..............................................................................111Other frills ...........................................................................................113

Chapter 7: Doing the Directory Thing . . . . . . . . . . . . . . . . . . . . . . . . . . .115What Is a Directory Service? ......................................................................115Meeting Active Directory ............................................................................116

Organizing and storing data..............................................................116Managing data.....................................................................................117Locating data and resources.............................................................118

Of Domains and Controllers .......................................................................118In the beginning . . . ............................................................................118Wherefore art thou, BDC/PDC?.........................................................120

Knowing What Makes Active Directory Tick ............................................121What replication means.....................................................................122The grand schema of things..............................................................124Global catalogs ...................................................................................125

Planning for Active Directory .....................................................................126What’s in a namespace?.....................................................................127Making sites happen ..........................................................................127Oh, you organizational unit (OU), you.............................................129

Installing Active Directory ..........................................................................129Promoting domain controllers..........................................................130Active Directory’s database and shared system volume..............130Modes of domain operation..............................................................131

When Domains Multiply ..............................................................................133Trust relationships across domains ................................................133Building trees ......................................................................................134Understanding forests .......................................................................135

Chapter 8: Working with Active Directory, Domains, and Trusts . . .137Master of Your Domain................................................................................137Trusts Are Good for NT 4.0 and Active Directory Domains ...................140How Domain Controllers Work Together ..................................................141

When replication happens ................................................................141Know your database limits ...............................................................143

Administrivia Anyone? (Controlling Domains and Directories) ............144Exploring the directory management console ...............................144Creating directory objects ................................................................145Finding directory objects ..................................................................148A word on ADSI ...................................................................................148

xiTable of Contents

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xi

Permission to Proceed? Handling Directory Permissions ......................149About Active Directory permissions ...............................................149Assigning permissions .......................................................................149Permissions inheritance....................................................................150Delegating administrative control....................................................151

Managing Trusts...........................................................................................152Establishing trusts .............................................................................153If you open the door to trusts, who gets to come through? .........154

Chapter 9: Printing on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .155Windows 2008 Has a Print Model...............................................................156

Physical print devices........................................................................158Logical assignments...........................................................................158

Installing on the Server’s Side ....................................................................160Meet the Printers folder ....................................................................160Adding a networked print device .....................................................161

Sharing Printer Access ................................................................................167Bringing Printers and Clients Together.....................................................168Managing Windows 2008–Based Printers .................................................169Preventing Printer Problems ......................................................................171Faxing the Windows Server 2008 Way .......................................................172

Enabling faxing....................................................................................173Sending faxes ......................................................................................173

Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat . . .175Resolving a Name: TCP/IP and NetBIOS....................................................175

NetBIOS names ...................................................................................176TCP/IP names and addresses............................................................178

Calling Everything a Node...........................................................................180To network ID or host ID? That is the question..............................180Subnetting: Quiet time for IP addresses ..........................................182Hanging your shingle: Obtaining IP addresses ...............................184Address translation: The new magic ...............................................185

Forcing IP Down the Throat of Windows Server 2008.............................187Basic configuration ............................................................................187Advanced configuration ....................................................................189

Everyone WINS Sometimes.........................................................................191A glimpse at WINS ..............................................................................191WINS servers.......................................................................................192WINS clients ........................................................................................192

NetBIOS over TCP/IP....................................................................................193DNS Does the Trick ......................................................................................193

Whether to DNS ..................................................................................194The deans of DNS ...............................................................................194

Windows Server 2008 For Dummies xii

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xii

DHCP: IP Addressing Automation ..............................................................195What is DHCP? ....................................................................................195Is DHCP in your future?......................................................................196

Ironing Out Problems ..................................................................................197

Part III: Running Your Network..................................199

Chapter 11: Managing Users with Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

User Accounts Have Properties .................................................................201Administrators rule! ...........................................................................203Guests can wear out their welcome.................................................203

Creating Active Directory Accounts ..........................................................204General tab ..........................................................................................208Address tab .........................................................................................208Account tab.........................................................................................208Profile tab ............................................................................................208Telephones tab ...................................................................................210Organization tab .................................................................................210Member Of tab ....................................................................................210Dial-in tab ............................................................................................211

Getting Pushy with Users............................................................................211What about Groups? ....................................................................................212

Understanding group scopes............................................................212Creating and managing groups .........................................................214Using built-in groups..........................................................................215

Giving Your Users Nice Profiles..................................................................217Where You Find Profiles, Policies Are Never Far Away ...........................219

Administering a group policy ...........................................................219Understanding how group policies are processed ........................221Creating a group policy .....................................................................222Auditing for trouble............................................................................224

When Access Problems Loom . . . ..............................................................225

Chapter 12: Managing Shares, Permissions, and More . . . . . . . . . . .227More about Objects, Rights, and Permissions .........................................228

An object lesson .................................................................................228When is a file not an object? .............................................................229Users have rights; objects have permissions .................................229

Of Windows Server 2008 NTFS and Permissions .....................................230NTFS permissions...............................................................................232Advanced permissions ......................................................................233

FAT and FAT32 Have No Permissions.........................................................234Share Permissions........................................................................................235

xiiiTable of Contents

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xiii

Calculating Actual Permissions..................................................................237The rules of calculation.....................................................................237Figure this! ...........................................................................................237Let the OS do it for you......................................................................238

But What about Access Control with Active Directory Objects? ..........239Delegation of access control.............................................................239Property-based inheritance ..............................................................239

Chapter 13: Preparing for That Rainy Day . . . . . . . . . . . . . . . . . . . . . . .241Why Bother Backing Up?.............................................................................241

Considering potential threats ...........................................................242How many backup types are there?.................................................243Network versus local backup ...........................................................245Understanding the technology .........................................................246

Beep! Beep! Planning Backups....................................................................249Storing backup tapes off-site ............................................................249Documenting your hardware and its settings.................................250Practicing disaster recovery for your system ................................250

The Windows Server 2008 Backup Facility ...............................................251Looking at the big picture .................................................................252Performing command line backups .................................................253Selecting targets and volumes .........................................................254Specifying backup destination and media settings........................255Scheduling backup jobs.....................................................................256

Restoring from a Backup.............................................................................256Third-Party Backup Options.......................................................................257

Finding third-party packages ............................................................258Evaluating backup systems...............................................................258

The Backup Operator ..................................................................................260

Chapter 14: Network Security Management . . . . . . . . . . . . . . . . . . . .263Network Security Basics .............................................................................264

Getting physical..................................................................................264Informing the masses about security policies................................267

Windows Server 2008 and Security ...........................................................268Usernames are more than just names .............................................269Passwords and security.....................................................................270A few more things about passwords................................................274

A Look into the Future: Service Packs.......................................................274Copping an Attitude.....................................................................................275

The Everyone group...........................................................................276User rights...........................................................................................276

Plugging Common Mouse Holes.................................................................277Unseen administrative shares ..........................................................277Decoy accounts ..................................................................................278Last logged on username ..................................................................278When good floppies go bad ..............................................................278

Security Equals Vigilance............................................................................279

Windows Server 2008 For Dummies xiv

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xiv

Part IV: Serve It Yourself ...........................................281

Chapter 15: How to Be a DIY Guru . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Server Requirements Revisited..................................................................284

Processors: Cores, counts, and options..........................................284Memory: You can’t have too much ..................................................285Disk space: Look out, it’s a RAID! .....................................................286Network access: Internal, add-in, and counts.................................287Case and power supply .....................................................................289What about graphics? ........................................................................291Important miscellany (cooler, fans, optical drive, monitor,

keyboard, mouse) ...........................................................................291Building a Better Budget .............................................................................292PC Component Shopping Tips....................................................................293Assessing Windows Server 2008 Compatibility .......................................294

Chapter 16: Servers the Intel Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297Choosing a CPU and Motherboard First ...................................................298Selecting and Sizing Memory......................................................................299Selecting and Sizing Disk Space..................................................................300

Accessing current needs and anticipating future growth .............300Planning for RAID ..............................................................................301

Making Network Connections.....................................................................301Picking the Right Case and Power Supply ................................................302Building an Intel-Based Server from A to Z...............................................303

Insert the PSU .....................................................................................304Seat the CPU and cooler ....................................................................305Seat the RAM modules.......................................................................309Install the hard disk drives................................................................311Install the optical disk .......................................................................312Set up the hardware ...........................................................................313Install the OS.......................................................................................314

Ready to Rock-and-Roll?..............................................................................314

Chapter 17: Servers the AMD Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315Choosing the CPU and Motherboard First................................................316

What we chose for our example build.............................................316Exploring your options ......................................................................316

Selecting and Sizing Memory......................................................................317Selecting and Sizing Disk Space..................................................................318Making the Network Connections..............................................................318Picking the Right Case and Power Supply ................................................318Construction from A to Z ............................................................................319

Insert the PSU .....................................................................................319Seat the CPU and cooler ....................................................................320Seat the RAM modules.......................................................................324Installing hard disk drives.................................................................326

xvTable of Contents

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xv

Installing the optical disk ..................................................................328Setting up hardware ...........................................................................329Installing the OS..................................................................................329

Ready to Rock-and-Roll?..............................................................................330

Chapter 18: Taking Care of Your Own Issues . . . . . . . . . . . . . . . . . . . .331Troubleshooting Common Windows Server 2008 Problems..................332

Setup failures ......................................................................................332Startup failures ...................................................................................333Diagnosing startup errors .................................................................335Run-time issues...................................................................................337Windows Activation ...........................................................................339Hardware upgrades and software updates .....................................340

Monitoring Server Operations....................................................................341Event Viewer .......................................................................................341Reliability and Performance .............................................................343Device Manager ..................................................................................346

Tweaking Windows Server 2008 for Efficiency.........................................346Managed entities ................................................................................346Run-time optimization .......................................................................348

Making the Most of Your Server.................................................................349

Part V: The Part of Tens .............................................351

Chapter 19: Ten Tips for Installation and Configuration . . . . . . . . . . .353Exceed the Minimum Requirements..........................................................354Use Only Qualified Server Hardware .........................................................355Install from Your Network ...........................................................................356Let the Software Do the Work: Automating Installation..........................356Beat Installation Weirdness: Be Persistent ...............................................358Let Lo-Res Come to Your Rescue! ..............................................................358Use “Last Known Good” to Do Good!.........................................................359A Custom Installation Saves Systems! .......................................................359Use the Windows Server 2008 DVD to Boot..............................................360When in Doubt, Back Up!.............................................................................361Prepare for the Real Work! ..........................................................................361

Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363

Never Overlook the Obvious ......................................................................364Check Windows Server 2008 Routing ........................................................364Open Your TCP/IP Toolkit ...........................................................................365Use One or More Fast Server Network Adapters.....................................366

Windows Server 2008 For Dummies xvi

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xvi

Know When to Divide and When to Conquer...........................................367When in Doubt, Check Your Services ........................................................367Handle Names and Addresses Efficiently .................................................368Ask What’s New or Different .......................................................................369If You Need Help, Ask...................................................................................369Watch Network Trouble Spots....................................................................370

Part VI: Appendixes...................................................371

Appendix A: Server Components and Technologies . . . . . . . . . . . . . .373Server Motherboards ..................................................................................374Server Processors ........................................................................................375Server Memory (RAM) ................................................................................376Disk Drives, Controllers, and RAID ............................................................377

SCSI versus SATA drives ....................................................................378SCSI versus SATA controllers ............................................................379Building RAID arrays..........................................................................381

High-End Network Adapters .......................................................................383

Appendix B: Windows Troubleshooting Resources . . . . . . . . . . . . . .385Marvels from Microsoft ...............................................................................385Windows Server 2008 Books.......................................................................387Server-Friendly Publications ......................................................................388Other Third-Party Windows Server 2008 Sources ...................................389

Index........................................................................391

xviiTable of Contents

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xvii

Windows Server 2008 For Dummies xviii

02_180433 ftoc.qxp 2/25/08 7:13 PM Page xviii

Introduction

Welcome to Windows Server 2008 For Dummies, the book that helpsanyone who’s unfamiliar with Windows Server 2008 (or Windows-

based networks) find his or her way around a Windows Server 2008–basednetwork. In a wired world, networks provide the links that tie all userstogether. This book tells you what’s going on, in basic, straightforward terms.

Although a few fortunate individuals may already be acquainted withWindows Server 2008 and the networks it supports, many more people arenot only unfamiliar with server-based networking but downright scared of it.To those who may be concerned about facing new and difficult technologies,we say, “Don’t worry. Be happy.” Using a server-based network isn’t beyondanyone’s wits or abilities — it’s mostly a matter of using a language that ordi-nary people can understand.

Ordinary folks are why this book talks about using Windows Server 2008 andnetworks in simple — and deliberately irreverent — terms. Nothing is toohighfalutin to be mocked, nor too arcane to state in plain English. And whenwe do have to get technical, we warn you and make sure to define our termsto boot.

This book aims to help you meet your needs. You’ll find everything you needto know about Windows Server 2008 in here, so you’ll be able to find yourway around — without having to learn lots of jargon or obtain an advanceddegree in computer science along the way. We want you to enjoy yourself.Because server-based networking really is a big deal, it’s important that yoube able to get the most out of it. We really want to help!

About This BookThis book is designed so you can pick it up and start reading at any point —like you might read a reference book. In Parts I and II, we cover server basics:concepts and terminology in Part I, and the installation and deployment ofWindows Server 2008 in Part II. In Parts III through V, you’ll find tons of infor-mation on how to run or build a Windows Server 2008–based network. Part IIIcovers running a Windows Server 2008–based network, whereas Part IVdescribes how you might design, build, and use a do-it-yourself networkserver PC. Part V includes tips and tricks to help smooth out installing, con-figuring, and using Windows Server 2008.

03_180433 intro.qxp 2/25/08 7:17 PM Page 1

Each chapter is divided into freestanding sections, each one relating to thechapter’s major theme. For example, the chapter on installing WindowsServer 2008, contains the following collection of information:

� The differences between an upgrade install and a clean install

� How to make sure your hardware is suitable for use as a server

� A step-by-step walkthrough of the installation process

� What to do when installation completes

� Troubleshooting installation problems

� Automating the Windows Server 2008 installation process

You don’t have to memorize the contents of this book. Each section suppliesjust the facts you need to make networking with Windows Server 2008 easy touse. On some occasions, however, you may want to work directly from thebook to make sure you keep things straight.

How to Use This BookThis book works like a reference, so start with a topic that interests you. Youcan use the table of contents to identify general areas of interest or broadtopics. The index, however, is your best tool for identifying detailed con-cepts, related topics, or particular Windows Server 2008 capabilities, tools,or controls.

After you find what you need, you can close the book and tackle whatever taskyou’ve set for yourself — without having to grapple with unrelated details.

If you’ve never worked with a Windows Server operating system before, it’s a good idea to read Parts I and II in their entirety. Likewise, if you’re new toadministering a Windows Server 2008–based network, you might want to readall of Part III. If the idea of building your own server PC from scratch soundsinteresting, you’ll definitely dig Part IV. Otherwise, dig in wherever your fancymoves you!

When you need to type something at the keyboard, you’ll see text that lookslike this: Type this. You’re expected to enter this text at the keyboard andthen press the Enter key. Because typing stuff can sometimes be confusing, wealways try to describe what it is you’re typing and why you need to type it.

This book occasionally suggests that you consult the Windows Server 2008online help, printed manuals, Resource Kit, and even Microsoft’s Web site foradditional information. In most cases, though, you find everything you needto know about a particular topic right here — except for some of the bizarredetails that abound in Windows Server 2008.

2 Windows Server 2008 For Dummies

03_180433 intro.qxp 2/25/08 7:17 PM Page 2

If there’s a topic we don’t cover in this book that you need to know moreabout, we suggest you look for a book on that subject in the For Dummiesseries, published by Wiley Publishing. In addition, a whole world of Webinformation about Windows Server 2008 is available on the Internet, and theMicrosoft Web site (at www.microsoft.com/windowsserver2008/default.mspx) isn’t a bad place to start looking for such information.

Foolish AssumptionsWe’re going to climb out on a limb and make some potentially foolishassumptions about you, our gentle reader. You have or are thinking about get-ting a computer, a network, and at least one copy of Windows Server 2008.You know what you want to do with these things. You might even be able tohandle all these things yourself, if somebody would only show you how. Ourgoal with this book is to decrease your need for such a somebody, but wedon’t recommend telling him or her that out loud — at least, not until you’vefinished this book!

How This Book Is OrganizedThe book is divided into five major parts, each of which consists of two to six chapters. Each chapter covers a major topic and is divided into sections,which discuss particular issues or concerns related to that topic. That’s howthings in this book are organized, but how you read it is up to you. Choose atopic, a section, a chapter, or a part — whatever strikes your fancy or suitsyour needs — and start reading.

Part I: Servers at Your ServicePart I provides an introduction to Windows Server 2008. You’ll find a detaileddescription of Windows Server 2008 in Chapter 1 that includes its importantfeatures, functions, capabilities, and requirements. Chapter 2 takes a moregeneral look at server-based networking and explains what makes serversspecial, hardware-wise; what kinds of things servers do; and what servicesthey provide. Chapters 3 and 4 provide a speedy primer on network designand construction to help you decide where to put the pieces and parts thatgo into a network, including your server, and what to do with them whenthey’re all interconnected. If you’re already a seasoned networker or haveworked with another Windows Server operating system, you can skip thispart if you’d like, although you may still want to check out Chapter 1 to seewhat’s new and interesting in this latest and presumably greatest of WindowsServer operating systems.

3Introduction

03_180433 intro.qxp 2/25/08 7:17 PM Page 3

Part II: Servers, Start Your EnginesPart II tackles Windows Server 2008 head on, starting with its installation and configuration. It covers the issues involved in installing and configuringnetwork hardware specifically for Windows Server 2008. It also covers how to install and manage print servers and services on a Windows Server2008–based network, how to handle Transmission Control Protocol/InternetProtocol (TCP/IP) addresses, and how to set up and manage directory ser-vices in a Windows Server 2008–based environment. Part II is where youfigure out how to put the basic pieces of a network together using WindowsServer 2008.

Part III: Running Your NetworkPart III picks up where Part II leaves off — that is, it talks about living withand managing a Windows Server 2008–based network after the initial installa-tion and configuration phase is complete. It begins with a discussion of howto manage users and groups on a Windows Server 2008–based network,including details on profiles, policies, and local and global groups. Next, itcovers how Windows Server 2008 controls access to NTFS files and directo-ries and how to manage network-accessible file system resources calledshares.

After a network’s users, groups, and data assets are in place, rebuilding such a setup from scratch can be a real pain. That’s where a backup comes in handy, so Part III covers the ins and outs of backing up and restoring aWindows Server 2008 machine, plus other aspects of fault tolerance. Afterthat, a review of network security principles and practices should help toprepare you to protect your data from accidental loss and from would-behackers and crackers.

Part IV: Serve It YourselfPart IV takes a detour away from the software side of servers to dig deeplyinto the hardware on which such software must run. You’ll find out whatkinds of pieces and parts go into a PC and what kinds of selections make themost sense when that PC is going to act as a network server. You’ll also diginto the specifics involved in building a basic Intel-based PC for use withWindows Server 2008, where we guide you through options and selectionrationales for choosing specific processors, motherboards, memory, diskdrives, and so forth. Then we repeat that process for AMD-based PCs forthose who might choose to opt for an Opteron processor instead.


03_180433 intro.qxp 2/25/08 7:17 PM Page 4

Part V: The Part of TensPart V follows the grand tradition of For Dummies books, all of which include“The Part of Tens.” Here, you’ll find lists of information, tips, tricks, and sug-gestions, all organized into short and convenient chapters. This supplemen-tal information is designed to be both helpful and informative and is suppliedat no extra charge.

Part VI: AppendixesIf you’ll recall, we said earlier that this book is divided into five major parts.By definition, that means the appendixes must be a minor part of the book,although there’s nothing minor about the content you’ll find covered here. Infact, we decided to include this material to provide our readers with addi-tional information and resources on server hardware and developing goodtroubleshooting skills to help provide users with the best networking experi-ences possible.

Bonus ChapterYou’ll find a bonus chapter titled “What Makes Servers Special” at this book’scompanion Web site at www.dummies.com/go/winserver2008. This chap-ter will quickly get you up to speed on server capabilities.

Icons Used in This BookThe icons used in this book point you to important (and not so important)topics in the text.

This icon lets you know that you’re about to encounter information that’simportant to understand if you really want to get what’s going on withWindows Server 2008. It may be painful at times, but you have to slogthrough it.

Oh gee, we’re getting so old that we can’t recall what this one means. Maybeyou should check one out and see whether it’s worth watching for!

5Introduction

03_180433 intro.qxp 2/25/08 7:17 PM Page 5

This icon lets you know that you’re about to be swamped in technical details.We include this information because we love it, not because we think youhave to master it to use Windows Server 2008. If you aspire to nerdhood, youprobably want to read it; if you’re already a nerd, you’ll want to write usabout stuff we left out or other information we should put in!

This icon signals that helpful advice is at hand. We also use it when we offerinsights that we hope make using Windows Server 2008 more interesting oreasier. For example, whenever we include a shortcut that improves your pro-ductivity, it’s usually marked with the Tip icon.

This icon means what it says — you’d better be careful with the informationit conveys. Nine times out of ten, it’s warning you not to do something thatcan have nasty or painful consequences, as in accidentally wiping out thecontents of an entire hard drive. Whoops!

Where to Go from HereWith this book at your side, you should be ready to wrestle with WindowsServer 2008 and the networks it connects to. Find a subject, turn to its page,and you’re ready to jam. Feel free to mark up this book, fill in the blanks, dog-ear the pages, and do anything else that might make a librarian queasy. Theimportant things are to make good use of it and enjoy yourself while you’re at it.

Please check out the Web page at www.dummies.com. Be sure to take theopportunity to register your purchase online or send us e-mail with feedbackabout your reading experience.


03_180433 intro.qxp 2/25/08 7:17 PM Page 6

Part IServers at Your

Service

04_180433 pp01.qxp 2/25/08 7:17 PM Page 7

In this part . . .

In this part of the book, you get an introduction to thebig star in this production — namely, Windows Server

2008 — as you dig into its features, functions, and require-ments. But we also introduce you to the whole servercircus as we explain what makes servers so special andwhy taking care of clients is both a joy and a chore. Youeven get a chance to meet and make sense of the networkpieces and parts necessary to bring clients and serverstogether to help bring home the bacon.

Each chapter presents its information in small, easy-to-read sections. If information is really technical (mostlyworth skipping, unless you’re a glutton for punishment),it’s clearly marked as such. Even so, we hope you find this information useful — and maybe even worth a giggleor two.

04_180433 pp01.qxp 2/25/08 7:17 PM Page 8

Chapter 1

Making Windows Server 2008Serve You

In This Chapter� Understanding the client-server network model

� Meeting the Windows Server 2008 product family

� Finding out about added and enhanced security features

Windows Server 2008 is the latest and greatest version of Microsoft’sflagship server platform and the successor to the hugely popular

Windows Server 2003. Prior to its debut, Windows Server 2008 was code-named Longhorn, a platform that shared common client features also foundin Windows Vista, much like the relationship between Windows Server 2003and Windows XP. In fact, Windows Server 2008 even shares a common codebase with Windows Vista and therefore carries much of the same architectureand core functionality.

Both Windows Server 2008 and Windows Vista share common technical,security, management, and administrative features; an improved IPv6-capablenetworking stack; native wireless utilities; and a revamped image-basedinstallation format (among many other exciting new features). However,Windows Server 2008 is a total departure from the desktop/workstationrealm and offers enterprise and server-specific features and functionalityabove and beyond anything Windows Vista offers. In this chapter, we exploresome of these features from a 10,000-foot view and then focus on specifictopics in the chapters that follow.

Large-scale deployment options, improved self-diagnostic tools, advancedreliability and performance monitoring, and enhanced security features arejust some of the benefits that inhere to the new Windows Server 2008 plat-form. First, we take a look at server hardware and make some important dis-tinctions between workstation and server roles and responsibilities.

05_180433 ch01.qxp 2/25/08 7:17 PM Page 9

Any Server Must Do ThisThe term server speaks to a broad classification of computers that combinehardware components and software services to handle a variety of tasksmaintained through network relationships. A server takes many shapes andsizes, covers a wide range of form-factors, and includes numerous compo-nents and services. Embedded server platforms are used in network attachedstorage (NAS) devices, included in network print servers, and scale all theway up to giant mainframes capable of handling millions of simultaneoustransactions and resource-intensive processing.

The terms form-factor refers to a specific design, layout, size, and shape ofcomponent or device. A form-factor can refer to several mutually indepen-dent devices, from the power supply and its interface types to motherboardsand their various dimensions, pinouts, and connection types.

In fact, if you take a good look around your office environment, or just about any other office IT infrastructure, you can probably identify severalotherwise-overlooked servers and server applications that you use on a regu-lar basis. Modern technology puts the power of servers and server applica-tions in the hands of mere mortals, and nowhere is this more evident than inthe consumer market, where multimedia home theater PCs (HTPCs) are partof daily life for many. But back to the business world. . . .

Essentially, any server must serve a network — either clients or otherservers, or some combination of the two. The term server also includes the actual server operating system that makes the computer do its job.Commercial server software products such as Windows Server 2008 aredesigned to handle a greater frequency and variety of tasks than are typicalin either the desktop or workstation realms. Server platforms are an entirelydifferent breed of PC, as compared to their desktop and workstationbrethren, which is why they perch atop the hierarchy and the marketplacewhen it comes to buying an operating system.

Specifically, a server is designed and intended to provide services and run server applications under heavy workloads, left unattended and self-managing most of the time. For the most part, servers are self-contained, self-regulated core network entities in an enterprise or business IT environ-ment. Larger amounts of memory (upwards of 8GB or more), larger storagecapacity (terabytes, petabytes, and beyond), special storage methods (mir-roring, striping, and multiple disk aggregation), redundant power supplies,and server-specific form-factors all typically distinguish specialized serverhardware components from other, more ordinary computer components.That said, plenty of servers use desktop and workstation hardware such asoptical drives, disk drives, and peripheral or display devices.

10 Part I: Servers at Your Service

05_180433 ch01.qxp 2/25/08 7:17 PM Page 10

See Appendix A for more details on server hardware components and checkout the Bonus Chapter at dummies.com/go/winserver2008 for a more in-depth discussion of server technologies.

Choosing Windows Server 2008The Windows Server 2008 platform is further subdivided into multiple pack-ages designed specifically for particular forms and functions. Understandingthe distinctions among these market offerings and then understanding howthey do or don’t meet your requirements will help you choose the right offer-ing for your budget and your computing needs.

In this section, we give you a look at some of the different offerings availableunder the Windows Server 2008 umbrella.

Meeting the Windows Server 2008 familyMicrosoft follows the usual format for marketing its server family offerings,which include both 32-bit and 64-bit varieties. Some of these editions remainfunctionally identical to the Windows Server 2003 family. These offeringsinclude the following:

� Windows Server 2008 Web Edition: Designed as a basic InternetInformation Services (IIS) server platform to build and host Web applica-tions and pages and provide eXtensible Markup Language (XML) ser-vices including Active Server Pages (ASP) and the .NET framework.

� Windows Server 2008 Standard Edition: Designed for small to mediumbusinesses, this version supports file and print sharing, works with upto four processors, and accommodates up to 4GB RAM.

� Windows Server 2008 Datacenter Edition: Designed for infrastructuresthat demand greater security and reliability features, supportive of up to64 processors and 512GB for high-availability, high-demand processingapplications and processes.

� Windows Server 2008 Enterprise Edition: Designed for medium- tolarge-size businesses as a fully-functional server platform capable ofoperating eight processors and 64GB RAM, with enterprise-class fea-tures including clustering and virtualization.

� Windows Storage Server 2008: Designed as a specialized platform for net-work attached storage (NAS) implementations and optimized for use withfile- and print-sharing services in storage area network (SAN) scenarios.

� Windows Server 2008 for Itanium-Based Systems: 64-bit Intel Itanium-based computers require a special version of Windows Server 2008entirely its own.

11Chapter 1: Making Windows Server 2008 Serve You

05_180433 ch01.qxp 2/25/08 7:17 PM Page 11

You might be thinking, “Wow, what a diverse group of systems! You can’t possibly get any better than that!” Well, that’s what Microsoft was aiming for:To expand and proliferate its new 2008 platform, Microsoft has reformulatedmany of its top products to encompass many diverse business computingenvironments. In the preceding list, the items up to and including Enterpriseare listed by increasing cost and capability; we don’t yet have informationabout the cost for Storage Server and Itanium versions, so we left those forthe end of the list.

Why use Windows Server 2008?There are dozens of compelling reasons to explore Windows Server 2008 as aviable platform for any business. In the list that follows, we give you a look atsome highlights and expand on features and functions provided inMicrosoft’s latest flagship product:

� More control: Windows Server 2008 empowers IT professionals withgreater control and management over servers and network infrastruc-ture with enhanced scripting and task-automation capabilities. Improvedself-diagnostics and remote control tools create field-serviceable plat-forms that also may be supported across the network or via the Internet.These features are described in some detail in the section entitled“Benefits of Windows Server 2008” in the Microsoft Product Overview at www.microsoft.com/windowsserver2008/evaluation/overview.mspx.

When we speak of field-serviceable parts, we mean those componentsand devices that can be operated and fixed onsite, or in the field. Manycomputer-related issues can be resolved onsite, but there are certain cir-cumstances where a part must be sent to a well-equipped servicedepartment or parts distributor.

Role-based, image-driven platform installation streamlines large-scaledeployment processes and includes new utilities to facilitate creation ofcustom installation images and custom recovery images, all under oneumbrella. The new Server Manager console delivers a consolidated, cen-tralized control center for managing server configurations and relatedsystem information. See Chapter 6 for more information on the all-newServer Manager console.

� Greater flexibility: Windows Server 2008 supports custom modifica-tions to better adapt to ever-changing business needs. Enhanced flexibility for mobile users, integrated virtualization (which means thatone server can look and act like a bunch of servers, as far as its usersare concerned), centralized application access, and new deploymentoptions create a workable platform to suit a variety of enterprise net-working scenarios.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 12

You can create a custom installation image, or several, based on a coreset of necessary applications and configurations and then roll it out toan entire enterprise in a completely automated, unattended fashion toexpedite upgrades and new installations.

� Better tools and utilities: The new Windows PowerShell command lineinterpreter and scripting language facilitates more administrative controland productivity and better monitoring and analysis of system perfor-mance with its new Reliability and Performance Monitor. Plus, you canmanage and secure multiple server types using the new Server Managerconsole, which provides centralized access to common administrativetools. PowerShell functionality is beyond the scope of this book andremains in beta status at the time of this writing, so we don’t include mate-rial on this subject. See www.microsoft.com/windowsserver2008/powershell.mspx for more details on PowerShell.

� Increased protection: Windows Server 2008 delivers improved securityfeatures that increase platform protection, reduce attack surfaces, andprovide a firm foundation on which to construct and operate a business.The very core, or kernel, of the operating system is now better protectedagainst various forms of attack. Windows Service Hardening makesInternet-facing services more resilient to Internet attacks, and a varietyof access protections and cryptography services strengthen theWindows system. See Chapter 14 for more information on securitytopics related to Windows Server 2008.

� New and improved TCP/IP features: Windows Server 2008 includesmany changes and enhancements to the Next Generation TCP/IP stack,such as IPv6 enhancements and policy-based Quality of Service (QoS)for enterprise networks. The Next Generation TCP/IP stack is a totalredesign of traditional network stack functionality for both IPv4 and IPv6protocol versions. Receive window auto-tuning, neighbor reachability,dead gateway detection, black hole router detection, routing compart-ments, and explicit congestion notification are just a few of its newlyadded and updated capabilities. (See Chapter 2 for more on the NextGeneration TCP/IP stack.)

� Self-healing NT File System (NTFS): In the past, file system errors oftenrequired that a disk volume be taken offline for service, which clearlyimpacted business flow. A new feature and added benefit of the WindowsServer 2008 platform is its inclusion of a real-time recovery or self-healingprocess for the NTFS storage format. That way, businesses can remainoperational even in the face of file-system-related issues.

� Server Message Block version 2 (SMB2): The de facto standard for net-work file systems in the Windows realm is SMB, now revamped to handlescalable increases in server workloads more expeditiously.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 13

� Windows Server virtualization: Windows Server 2008 provides a built-in virtualization capability to enable multiple separate operating systeminstances operating at the same time, using the same hardware. Userssee multiple servers, each with their own data sets, services, and accesscontrols, but IT departments can manage multiple virtual servers on asingle set of server hardware.

� Server Core: A new installation option for Windows Server 2008includes a stripped-down, graphical interface-free server platform that contains only those components and subsystems necessary for ahigh-availability server that requires fewer updates and less servicing.Envision a cluster of low-overhead, virtualized, highly optimized serveroperating systems running stripped-down core roles like DHCP or DNS inprotected environments, completely autonomous, managed only by asingle terminal, and you’ve got the right idea.

These are just some of the exciting new things going on with Windows Server2008. You’ll find out about many of these capabilities in more detail in thechapters that follow.

Exploring Windows Server 2008Networking Features

Generally speaking, from a networking perspective, it’s safe to assume thatWindows Server 2008 does everything that previous versions of WindowsServer have done — including automatic client addressing (DHCP), directoryservices (Active Directory), network name resolution (DNS, WINS, and so forth), as well as a whole slew of networked applications such as e-mail,databases, transaction processing, and so forth. In fact, Windows Server 2008does more for networking than previous versions have done, especially whereadvanced network performance (auto-tuning and optimization), network security, network-based offload and acceleration technologies, and simplifiedmanagement and diagnostics are concerned. For the complete Microsoft ver-sion of this story, see “Windows Server 2008 Networking Features” at www.microsoft.com/windowsserver2008/platnetworking/default.mspx.

Providing services through your serverThe client-server paradigm operates largely on client requests for server ser-vices. Such requests require both server and client hardware and compatiblesoftware, which are necessary to facilitate network functionality between the


05_180433 ch01.qxp 2/25/08 7:17 PM Page 14

two. At the most basic level, a client must have a network connection avail-able to transmit a request for services. Likewise, the client must have the cor-rect software installed to formulate an intelligible request and pass it to thenetwork, where a server can notice and respond to such a request.

Servers respond to client requests through a listener process represented byapplication services such as File Transfer Protocol (FTP) and Telnet. Thisprocess runs continuously, dispatching inbound client connections as theyarrive and managing transitional connection states through the native TCP/IPstack implementation.

On the software side, servers require the following elements to make servicesavailable across the network:

� Network drivers enable the server to communicate with its networkinterface. This software lurks in the background and exists only to tiethe computer to the network interface.

� Protocol stacks send and receive messages across the network. Thissoftware also lurks in the background and provides a common languageshared with clients used to ferry information across the network.

� Service applications respond to requests for service and formulatereplies to those requests. This software runs in the foreground and doesthe useful work. The service application includes the listener process,the temporary execution threads, and some type of configuration ormanagement console so that it can be installed, configured, and alteredas necessary.

Most software that resides on a server is network aware because delivery ofinformation via network is a server’s primary function. Some application andprotocol services that are performed on behalf of a server computer includeActive Directory, SQL Server database engines, Exchange e-mail servers, andQuality of Service networking.

Three improvements to existing services and one additional service inWindows Server 2008 include:

� Failover clustering: Improvements to failover clusters (previously calledserver clusters) simplify setup and management and better secure clusterdeployment and enhance operational stability. In addition, both net-working and communication to storage devices are improved to increaseavailability of applications and services.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 15

The concepts and terminologies known as failover and clustering aren’tsomething you’ll encounter with only casual computing experiences, sodon’t feel threatened if these are entirely foreign to you. A cluster is a setof servers running one or several applications and services. A failovercluster is one in which several server computers operate cohesively sothat in the event that one fails, another takes over processing of applica-tions and data in its place.

� Network load-balancing: Advances include support for IPv6 andNetwork Driver Interface Specification (NDIS) 6.0, Windows ManagementInstrumentation (WMI) enhancements, and improved functionality withInternet Security and Acceleration (ISA) Server. Network load-balancingredistributes the load for networked client/server application requestsacross a set of cluster servers.

� 802.1X authenticated wired and wireless access: Authenticated accessfor both networking technologies relies on 802.1X-compatible Ethernetswitches and access points (APs) to provide port-based network accesscontrol. This prevents unauthenticated or unauthorized accesses andpacket transmission to user and computer resources.

Managing the user experienceWindows Server 2008 provides a single central source for managing serveridentities, system information, server status, configuration problem identifi-cation, and role management through the new Server Manager console.Server Manager is an expanded Microsoft Management Console (MMC) snap-in that enables you to view and manage virtually all information and toolsaffecting server productivity.

Server Manager replaces features included with Windows Server 2003, such as Manage Your Server, Configure Your Server, and Add or RemoveWindows Components. It also eliminates the requirement for the SecurityConfiguration Wizard to run prior to server deployment, because roles areconfigured with security settings by default and easily deployable onceinstalled and configured. See Chapter 6 for more on Server Manager.

Keeping it all safe and secureWindows Server 2008 includes an impressive array of new security applica-tions and features that further enhance enterprise deployments, particularlywithin hostile environments or under potentially threatening scenarios.Today’s Internet is a brightly illuminated world that casts shadows, and fromthose shadows arise criminal aspirations that seek to infiltrate, pilfer, and


05_180433 ch01.qxp 2/25/08 7:17 PM Page 16

undermine Internet-accessible businesses. Microsoft has stepped up itsWindows Server 2008 defenses to better serve the computing public thatcan’t always defend against unforeseen, persistent, or stealthy attack.

The following paragraphs briefly summarize some of the new and newlyenhanced security features of the Windows Server 2008 family:

� BitLocker Drive Encryption is a security feature of both Windows Vistaand Windows Server 2008 (again sharing a common base) to providestrong cryptographic protection over stored sensitive data within theoperating system volume. BitLocker encrypts all data stored in theWindows volume and any relevant configured data volumes, whichincludes hibernation and paging files, applications, and application data.Furthermore, BitLocker works in conjunction with Trusted PlatformModule (TPM) frameworks to ensure the integrity of protected volumesfrom tampering, even — and especially — while the operating systemisn’t operational (like when the system is turned off).

� Windows Service Hardening turns Internet-facing servers into bastionsresistant to many forms of network-driven attack. This restricts criticalWindows services from performing abnormal system activities withinthe file system, registry, network, or other resources that may be lever-aged to install malware or launch further attacks on other computers.

� Microsoft Forefront Security Technologies is a comprehensive solutionthat provides protection for the client operating system, applicationservers, and the network edge. In the Forefront Client Security role, youmay provide unified malware protection for business notebooks, work-stations, and server platforms with easier management and control.Server security can fortify Microsoft Exchange messaging environmentsor protect Office SharePoint Server 2007 services against viruses,worms, and spam.

� Internet Security and Acceleration (ISA) Server provides enterprise-worthy firewall, virtual private network (VPN), and Web caching solutionsto protect IT environments against Internet-based threats. Microsoft’sIntelligent Application Gateway is a remote-access intermediary that provides secure socket layer (SSL) application access and protection with endpoint security management.

� User Account Control (UAC) enables cleaner separation of duties toallow non-administrative user accounts to occasionally perform adminis-trative tasks without having to switch users, log off, or use the Run Ascommand. UAC can also require administrators to specifically approveapplications that make system-wide changes before allowing those appli-cations to run. Admin Approval Mode (AAM) is a UAC configuration thatcreates a split user access token for administrators, to further separateadministrative from non-administrative tasks and capabilities.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 17

� Windows Firewall and Advanced Security is an MMC snap-in that handles both firewall and IP Security (IPSec) configurations in WindowsSever 2008. This edition is the first to have the Windows Firewallenabled by default. It can create filters for IPv4 and IPv6 inbound or outbound traffic and protect information entering or exiting the com-puter through IPSec. This component replaces both the firewall appletand the IPSec and IPSec-related tool sets.

� Network Access Protection (NAP) is a policy enforcement platform builtinto Windows Server 2008 that maintains a social health order for thenetwork environment by specifically requiring that connecting clientcomputers meet certain criteria. Such requirements include having acurrent, functional firewall enabled with recent operating systemupdates already in place. NAP helps create custom health code require-ments driven through policy enforcement to validate compliant comput-ers before making any connections to the protected network.

Microsoft has also gone to great lengths to improve and expand upon manyother security features, management and configuration applets, applications,and tools. We cover network security topics more in-depth in Chapter 14.

The Very Basics of Windows Server 2008Windows Server 2008 is built with components that draw on the WindowsVista family of features and functionality, with added components and capa-bilities that extend platform coverage to encompass medium and large busi-ness computing needs. From NT’s humble beginnings in the early 1990s toWindows Server 2003, Microsoft’s premier network operating system serverproduct has come a long way.

Today, Windows Server 2008 offers a reliable and scalable platform fordeploying complex intranet solutions by integrating Internet and local net-work capabilities. In other words, this product will let you play multiplayer,first-person shooter games with people across the office or spread across the globe.

Most of the advantages and benefits you enjoy with Windows Server 2003 arecontained in Windows Server 2008, along with some changes, additions, andenhancements to existing features and functionality. Most of these improve-ments are found under the hood, such as changes to how Active Directoryworks, an expansion of command line management and scripting tools,improvements to domain management, improved security mechanisms andservices, greater accessibility and authentication, and some convenient newprepare and repair options in the way installations are handled.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 18

A can’t-miss interface change is the Windows Server Manager (formerlycalled Manage Your Server), which appears automatically when you log on. Inthe Server Manager window, you can manage server roles and features, andaccess Diagnostics, Configuration, and Storage utility categories and muchmore. It’s up to you whether you want to use Windows Server Manager orstart programs and utilities the old-fashioned way (by choosing Start). Wechose to bypass the Windows Server Manager by selecting the Do Not ShowMe This Console at Logon check box at the bottom of the ComputerInformation window pane.

The entire 2008 platform does offer some interesting promises that just mightbe realized. The most important of these is the reduced effort required todevelop and deploy complex e-commerce Web sites, stand-alone server coreapplication services, and large-scale simultaneous roll-outs. Windows Server2008 (as well as the rest of the .NET OS family) is tuned to provide betterInternet and network service support to clients. When used with the .NETeditions of Microsoft programming languages and networking services, youcan create an impressive online presence.

In the next chapter, we expand more on networking concepts, covering topicsthat range from multiple network interfaces to load-balancing and protocoloffload processing, application services, client-based management, and wide-scale software deployment.


05_180433 ch01.qxp 2/25/08 7:17 PM Page 19


05_180433 ch01.qxp 2/25/08 7:17 PM Page 20

Chapter 2

Server Networking PrinciplesIn This Chapter� Understanding the client/server network model

� Discovering new Windows Server 2008 features to core networking components

� Identifying client needs and positioning services

� Exploring protocol offload processing and network features

� Establishing server needs and provisioning services

� Defining network-oriented client/server services

� Examining policy-driven network-based application access

� Differentiating client and server wants or needs

For most applications, using Windows Server 2008 in a networked envi-ronment means buying into the client/server model. To help you under-

stand this networking model, which explains why it’s necessary for WindowsServer 2008 to exist, we explore the client/server model in detail in this chap-ter. Along the way, you discover more about the types of capabilities and ser-vices that client-server networks provide and the various ways that clientsand servers interact on such networks.

Understanding the Differences betweenServer and Client Networking

The client-server networking paradigm describes the basic nature of opera-tion between two computers that establish a connection and exchange dataor share resources. The process typically begins when a client caller makes arequest to a server application or service — this typifies a normal client-server transaction.

06_180433 ch02.qxp 2/25/08 7:43 PM Page 21

Now, the server may have something to give to the client, or the client mayhave something to give to the server, but that aspect doesn’t alter the rela-tionship (although it may superimpose roles, particularly where a server isactually the client to another server). This is the push/pull concept, whichdescribes the nature of data that is either pushed or pulled from source todestination.

Characteristically, the client will follow this process:

1. Initiate a request.

The client caller requests access to some resource or information fromthe remote server.

2. Wait for a reply.

A participating server issues a reply, either permitting or forbidding theconnection, which may require authentication in some cases.

3. Connect and interact.

If access is granted, the client possibly authenticates and then beginsinteracting in some fashion with the server.

Likewise, the characteristic behavior pattern for a server includes thesesteps:

1. Listen for a request.

Calling clients come and go as they please, requesting to initiate andinteract with hosted services.

2. Process the request.

Once received, the client request may optionally require authentication.

3. Connect and interact.

At this point, both client and server are connected on a common chan-nel and able to share resources or information.

What isn’t always apparent is that a single client connection may potentiallyinvolve several different servers to fulfill a single client request. Simple exam-ples are all around you:

� E-mail clients send and receive messages from e-mail servers.

� Web browser clients broker data connections to FTP and Web servers.

� Even simple numeric dots-and-decimals addresses to human-readablehostname resolutions (and vice versa) require that your computer act asa client to a Domain Name Server (DNS).

An alternative to the client/server model that you’ll hear from time to time,which we don’t discuss at great length, is the peer-to-peer (P2P) network


06_180433 ch02.qxp 2/25/08 7:43 PM Page 22

model. In this model, participants act as both clients and servers, sometimessharing multiple parts of a single piece of data or establishing an open net-work of client-server hybrids capable of either sending and receiving data orsharing resources without a formal client/server role.

More Is Better: Multiple NICs (No Cuts)Redundancy is one way of handling heavy workloads and network traffic for a single server servicing multiple clients. Multiple NICs (network interfacecards) or network adapters provide separate network stacks that are betterable to process a higher volume of traffic, create joined or separate subnets,or serve as an immediate fail-over when one interface goes down. You caneven bind, load, and prioritize settings for one interface over another.

Redundancy also enables future network expansion without the added costof new servers and lets administrators logically separate networks accordingto the network interfaces they use. Administrators can establish and main-tain server gateways that firewall inbound Internet connections from out-bound internal endpoint computers, interconnect otherwise separatenetworks and subnets, and perform a variety of other tasks.

In fact, if you take stock of the server-worthy hardware currently available onthe market, you’re likely to see at least two integrated network adapters onmany motherboards. Cheaper manufacturing costs and constant consumerdemand put those dual interfaces on board and have thus far kept themthere. However, these are limited-capability network interfaces that offer onlybasic functionality — mostly, they just do networking. Additional features areavailable from some add-in cards and stand-alone network appliances thatcan perform other tasks generally not feasible with integrated hardware, asdescribed in the next section of this chapter.

23Chapter 2: Server Networking Principles

Networking lingoNetwork stack: We use the term network stackin this chapter, which is the basis of any oper-ating system’s networking capability. In Chapter1, we called this the protocol stack, which is thesame as network protocol stack (or TCP/IP,mentioned later in this chapter), so the two areused interchangeably. Hopefully you won’t beconfused when encountering these variationsin the field.

NIC: A NIC is the hardware component thatestablishes network capability and connectivitythrough its software applications and drivers.This is the add-in or integrated interface cardwhere you plug in the network cable from arouter, switch, or broadband modem.

06_180433 ch02.qxp 2/25/08 7:43 PM Page 23

Windows Server 2008 Enhances Networking

Several underlying changes to the Windows Server 2008 networking infrastruc-ture can enhance the capability and performance of an existing (or design-phase) network, regardless if it’s at home or at work. Many of these substantialchanges, including total redesigns and new additions, are enterprise-oriented,where the primary emphasis is on capability, performance, and security fea-tures, and where advanced options are in the greatest demand. But that doesn’t mean you can’t take advantage of them, too!

In this section, we make a connection to some of these enhancements to explore what you can do with your Windows Server 2008 network environment.

Next Generation TCP/IP stackWindows Server 2008 includes a new implementation (a complete redesign)of the original TCP/IP protocol stack called the Next Generation TCP/IP stack. This new framework is a total rewrite of TCP/IP functionality for both IPv4 and IPv6. It’s designed to better meet connectivity and perfor-mance needs in various networking environments using various networkingtechnologies.

For the benefit of those stuck in a cave in Patagonia since the early 1980s,TCP/IP is the de facto standard network protocol stack for most server and workstation computers you’ll encounter, but it’s by no means the onlyone. It expands to Transmission Control Protocol/Internet Protocol andserves as the foundation for network traffic shuttled across the Internet. It’s become a nearly universal means for networked communications of all kinds.

The core network stack framework is improved and enhanced to increaseexisting functionality, complement it with supplementary performance-enhancing functionality, and further expand that framework through addi-tional features and components.

The following section covers much of the material that’s both directly andindirectly related to advances in the Next Generation TCP/IP network proto-col stack in Windows Server 2008.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 24

Receive window auto-tuningIn TCP, a receive window size defines the amount of data that a TCP receiverpermits a TCP sender to push onto the network before requiring the sender towait for acknowledgement of its receipt. Correctly determining the maximumreceive window size for a connection is now automatically handled by receivewindow auto-tuning, which continuously determines the optimal window sizeon a per-connection basis using real-time bandwidth calculations.

Improved receive window throughput increases network bandwidth utiliza-tion during data transfers. If all receivers are optimized for TCP data, Qualityof Service (QoS) can help reduce congestion for networks operating at ornear capacity.


Here’s the deal with IPv6The new kid on the netblock is IPv6, the desig-nated successor to IPv4 and touted as the nextbest thing.

Primary improvements provided in IPv6 includea much larger (128-bit) address space capableof addressing 2128 unique hosts, eliminatingstopgap measures to deal with IPv4 addressspace limitations and enhancing security andmobility for networked computers. Despitethese improvements, little actual real-worlddeployment of IPv6 in a general sense limits theaccessibility and availability of this new proto-col framework to reserved, designated workinggroups in the technical field.

Outside the scope of experimental and proto-type networks in Europe and branches in high-tech companies, nobody is really using IPv6.Not even Cisco has shifted its internal infra-structure entirely over to IPv6 yet, so it’s no sur-prise (to us, anyway) that not too many otherorganizations are charging aggressively intoIPv6 deployment, either.

That said, we certainly won’t deny you the priv-ilege of exploring this new technology andexperiencing the advantages, benefits, and

contributions of IPv6 deployment in your per-sonal networking environment. We will, how-ever, encourage you to experiment entirely atyour own expense of time and money. (There’sjust too much ground for us to reasonablycover.)

Here are a few pointers to some onlineresources where you may begin your journey:

� “Everything You Need to Know about IPv6”:This is an Ars Technica article explainingIPv6 in (almost) plain English, complete withblock-assignment diagrams. See http://arstechnica.com/articles/paedia/IPv6.ars for more information.

� IPv6 Running, Understanding IPv6 &Advanced Implementation of Protocol:This daily blog is dedicated to IPv6 topicaldiscussion. Visit http://ipv6-tips.blogspot.com for more information.

� IPv6 to Standard: This Web page, devoted tothe IETF IPv6 working group standardizationprocess, lists and identifies vendors whoseproducts are IPv6-enabled. See www.ipv6-to-standard.org for details.

06_180433 ch02.qxp 2/25/08 7:43 PM Page 25

Quality of Service (abbreviated QoS) refers to the ability to shape and controlthe characteristics of ongoing network communications services. This ideaoperates on the notion that transmission and error rates (along with othertraffic characteristics) can be measured, improved, and guaranteed — tosome extent, anyway.

Compound TCPThe Next Generation TCP/IP network stack also treats connections with largereceive window sizes and large bandwidth delays to Compound TCP (CTCP),a function that aggressively increases the amount of data sent in real-time bymonitoring current traffic conditions.

CTCP also ensures that it doesn’t negatively impact other existing TCP con-nections and complements receive window auto-tuning support to providesubstantial performance gains appreciable in any high-delay, high-throughputnetwork environment.

Explicit Congestion Notification supportLost TCP segments are assumed to be lost, probably owing to router conges-tion, which triggers a congestion control mechanism that dramaticallyreduces a TCP sender’s transmission rate. With Explicit CongestionNotification (ECN; see RFC 3168, which you can find at www.faqs.org/rfcs/rfc3168.html) support, both TCP peers and routers experiencingcongestion accordingly mark packets they forward. On receipt of such pack-ets, a TCP peer will scale back its transmission rate to ease congestion andreduce segment loss. Windows Server 2008 now includes core support forthis protocol feature.

Quality of Service (QoS) supportWindows Server 2003 and Windows XP provide QoS functionality to applica-tions through QoS APIs, which are leveraged to prioritize time-sensitive network data delivery functions. Windows Server 2008 and Windows Vistainclude new facilities for network traffic management on Windows networksso that high-priority traffic is handled first, which helps with streamingmedia, voice over IP, video conferencing, and other applications where quickresponse times are needed.

Policy-based QoS for enterprise networks allows IT staff to either prioritize or manage the send rate for outbound connections, which can be confined toapplications, source/destination IPv4 or IPv6 addresses, and source/destina-tion or a range of ports.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 26

Enhancements for high-loss environmentsThe Next Generation TCP/IP stack also improves network conditions in high-loss environments through several optimization features that include:

� (RFC 2582) The NewReno Modification to TCP’s Fast RecoveryAlgorithm: The NewReno algorithm provides faster throughput bychanging the way a sender can increase its sending rate when multiplesegments in a given window are lost, and the sender receives partialacknowledgement only for segments actually received.

� (RFC 2883) An Extension to Selective Acknowledgement (SACK)Option for TCP: SACK allows a receiver to determine when it hasretransmitted a segment unnecessarily and adjust its behavior on-the-flyto prevent further unnecessary retransmissions. Fewer retransmissionsresult in more optimal overall delivery.

� (RFC 3517) A Conservative Selective Acknowledgement (SACK)-basedLoss Recovery Algorithm for TCP: Windows Server 2003 and WindowsXP use SACK information only to determine those TCP segments thathave yet to arrive. Windows Server 2008 includes a method defined inRFC 3517 to use SACK information for loss recovery in the event dupli-cate acknowledgements are received, which is maintained on a per-connection basis by the Next Generation TCP/IP stack.

� (RFC 4138) Forward RTO-Recovery (F-RTO): Spurious retransmissionscan occur as a result of increases in round trip time (RTT). The F-RTOalgorithm prevents unnecessary retransmissions, particularly in wire-less environments where client adapters may roam from point to point,to return quickly to normal send rates.

These represent only some of the many additions, enhancements, and inclu-sions to the core network components in Windows Server 2008. For a morecomplete list, visit the Microsoft TechNet article at www.microsoft.com/technet/network/evaluate/new_network.mspx.

Offloading protocol processingCertain specialized network interfaces and hardware are capable of offload-ing the often resource-intensive burden of processing TCP/IP network stackinformation, which requires handling of a multilayered protocol framework todeliver encapsulated data. This frees up local CPU and RAM to process othergeneral-purpose tasks and moves the strain of ongoing network connectionprocesses to specially-designed hardware designated for that purpose.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 27

By encapsulated data, we refer to the way data is packaged as it travels downthe TCP/IP network protocol stack. Higher-level protocols are encapsulatedwithin header (and sometimes trailer) information so that lower-level routingand switching devices can process (and in some cases interpret) protocoldata.

Protocol offload processing is supported through software that is called the TCP Chimney in Windows (discussed next) and hardware that is called the TCP Offload Engine (discussed in Chapter 3).

TCP ChimneyThe TCP Chimney is a feature introduced first in Windows Vista and second —by extension — in Windows Server 2008. It’s the result of Microsoft’s ScalableNetworking initiative, which encompasses a number of changes to the corenetwork infrastructure of every new platform product. The goal is to reduceoperational overhead associated with establishing, maintaining, and terminat-ing connection state — the status of a given network connection — and all req-uisite state information throughout the lifetime of a connection. By removingsuch overhead from general-purpose resources and delegating the responsibil-ity to special-purpose network interfaces, additional computing resources arefreed up, especially on servers.

A chimney is a collection of offloaded protocol state objects and any associ-ated semantics that enable the host computer to offload network protocolprocessing to some other network device, usually the network interface.Since NDIS 6.0, Windows Server has included an architecture that supportsfull TCP offload, called a chimney offload architecture because it provides adirect connection between applications and an offload-capable networkadapter. This enables the network adapter to perform TCP/IP stack process-ing for offloaded connections, as well as to maintain the protocol state.

Changes to NDISMicrosoft’s Network Driver Interface Specification (NDIS) defines a standardapplication programming interface (API) for network adapters. The details ofa network adapter’s hardware implementation are wrapped by a MAC devicedriver so that all devices for the same media are accessed in a common, pre-dictable way.

NDIS provides the library of functionality necessary to drive network interac-tions for the Windows platform that both simplifies driver development tasks


06_180433 ch02.qxp 2/25/08 7:43 PM Page 28

and hides the ugliness of platform-specific dependencies. Some of the newfeatures provided by NDIS specification version 6.0 are described below.

New offload supportNDIS 6.0 now supports new offloading network traffic processing functional-ity to compatible network adapters that includes:

� IPv6 traffic offload: NDIS 5.1 (Windows XP, Windows Server 2003)already supports IPv4 protocol offload processing; NDIS 6.0 alsoincludes IPv6 traffic.

� IPv6 checksum offload: Checksum calculations for IPv6 can now beoffloaded to compliant network adapters.

� Large send offload (version 2): NDIS 5.1 supports large send offload(LSO), which offloads the segmentation of TCP protocol data into 64Kblocks. Large send offload 2 (LSOv2) in NDIS 6.0 now offloads muchlarger blocks.

Support for lightweight filter driversIntermediate filter drivers are replaced by lightweight filter (LWF) drivers, acombination of an NDIS 6.0 intermediate driver and a miniport driver. LWFimproves performance, consolidates protocol driver support, and provides a bypass mode where LWF examines only select control and data paths.

Receive-side scalingMultiprocessor computers running Windows Server 2003 or Windows XPassociate a given network adapter with a single processor. That individualprocessor must handle all traffic for that interface, despite the fact that otherprocessors may be available. This impacts Web- and file-server performancewhen client connections reach the serviceable limit of that associatedprocessor.

Incoming traffic that can’t be handled by either network interface or serverprocessor will be discarded, which is undesirable in just about every situa-tion. This increases the number of TCP/IP-oriented session serialization andsequence identifiers and amplifies performance penalties as a result of net-work stack retransmissions.

Both session serialization (sessions encoded as a sequence) and sequenceidentifiers (unique numeric values associated with serialized sessions) arerelated to the protocol stack. These properties help identify what portions of data are assembled and in what order, such that portions arriving out-of-order are properly reordered and those that never arrive are requested again.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 29

Windows Server 2008 no longer associates a network adapter to a singleprocessor; instead, inbound traffic is distributed among the available proces-sor array and processed accordingly. This feature is called receive-side scal-ing, which allows for more inbound traffic on high-volume network interfaces.A multiprocessor server computer can scale its ability to handle incomingtraffic without additional hardware, so long as compliant network adaptersare already in place.

Networking Is About Services, TooIn the first part of the chapter, our discussion of Windows Server 2008 princi-ples covers mostly the new features included to core networking components,the NDIS 6.0 API, and protocol offload processing. Networking isn’t just aboutthese features — in fact, they represent the unseen or transparent infrastruc-ture upon which all services are built and operate.

Networking is much more than the communications protocols, offloadengines, and security frameworks that serve as the basis for connectivity.Networking might not have a purpose or place without the necessary applica-tion services that server computers host for client computers (comprised ofworkstations and servers), so that both may interact in some fashion.

A network, by and large, is for the people — the very endpoint representa-tives that create network connections. But it isn’t entirely about what thepeople — or clients — want; much of the way a network infrastructure isdesigned, constructed, and maintained is dictated by what the businesswants and needs.

In the following sections, we take a closer look at the very distinctions thatdifferentiate client and server wants and needs in terms of application andbackground services.

What clients wantClient computers and personnel want a lot of things: easy access, worry-freereliability, unfaltering dependability . . . and probably some other things theyaren’t quite sure of or don’t know how to articulate in techie terms. Whowants to configure an IP address every time a connection is made to thesame, or any, network? What about sharing a common connection amongother computers?


06_180433 ch02.qxp 2/25/08 7:43 PM Page 30

Simple naming schemes, remote Web-based application access, and transac-tion-driven database services are just some of what clients want. Let’s delve alittle further into these topics for your personal benefit.

DHCPDynamic Host Configuration Protocol (DHCP) is a set of rules used by net-work communications devices to request and obtain an IPv4 or IPv6 addresslease assignment from the available pool of administrator-specifiedaddresses. DHCP alleviates the need for network administrators to actuallymake such assignments by hand, freeing them up to handle other tasks.

A DHCP server ensures that uniquely-generated, dynamically allocated IPassignments are made to connecting clients, along with whatever preferentialserver settings may apply to the client connection. However, it can alsoensure that the same IP is given only to a specific machine every single timeit connects. DHCP is successor to an older Boot Protocol (BOOTP), whichachieved a very similar goal.

DHCP automates not only the assignment of IP addresses but also subnetmasks, default gateways, and other lease-related parameters. On boot-up, aconnecting client will issue a request to the network for its personal addressassignment to the DHCP application service. In turn, the service applies a setof rules that govern the assignment and return the requested informationback to the client.

DHCP provides three modes for allocating addresses:

� Dynamic: Clients are provided an address assignment lease that expiresafter some specified duration of time. Reconnecting client computersmay or may not receive the same IP address, and no real concern isgiven to consistency.

� Automatic: Also known as DHCP Reservation, an automatic assignment isone where a given address is permanently assigned to a particular client.The DHCP server selects from a range specified by the administrator.

� Manual: Client-based address selection and DHCP protocol messageresponse inform the server of the new address allocation. The DHCPserver performs the allocation based on a table with interface hardwareor MAC addresses, where administrators manually specify IP and MACpairs for connecting clients.

Network administrators not only reduce the amount of repetitive and poten-tially unnecessary effort associated with manual address assignments, butalso eliminate the potential for configuration mistakes when configuring mul-tiple clients.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 31

Windows Server 2008 enhancements to DHCP include IPv6 support (DHCPv6)and Network Access Protection (NAP) enforcement, which requires a con-necting DHCP client to prove its system health status before receiving anaddress assignment.

NATNetwork Address Translation (NAT), network masquerading, and IP mas-querading are all terms used to describe rewriting packets as they passthrough an intermediary networking device to appear as if they originatedfrom that device. There are many NAT arrangements, types, and variations,but all operate along the same lines.

NAT confers two profound advantages on outbound network traffic:

� It permits internal networks to use private IP addresses as per RFC 1918and handles incoming and outgoing traffic to make that arrangementwork.

� It hides the details of internal network addresses, whether public or private — which explains the masquerading terminology used in the preceding paragraph.

There are several distinct advantages to this kind of arrangement. Forstarters, NAT insulates internal computers from external probes, keepingcrime out like a security fence. At the same time, NAT enables many internalcomputers to utilize a single external network connection where only a single IP address is assigned. NAT originally began as a response to the IPv4 address space shortage but has proven useful in many other ways.

Sometimes, communications protocols can be sensitive to alterations inpacket header data. NAT mangles the original data contained in a packet,which can disrupt certain types of security protocols that absolutely requirea packet to pass from sender to receiver unaltered. This was the case forIPSec when it first arrived on the scene because critical portions of headerelements were modified by NAT, upon which IPSec relied. As a result, connec-tions failed, and trouble followed close behind. Today, such traffic is handledwithout much difficulty, thanks to innovations in how NAT works and howsecurity protocols are used.

Internet Protocol Security, abbreviated IPSec, is an addition to the TCP/IPframework that includes more reliable security mechanisms for an otherwiseinsecure network environment. Such capability is usually involved with large-scale environments spread across geographically diverse networks, or any-where sensitive business applications and services are privately shared overthe Internet.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 32

NAT can be used for load-balancing for connection redirection, as part of a failover design to establish high-availability, as a transparent proxy for content caching and request filtration, or to connect two networks with overlapping addresses.

Name servicesWindows Internet Naming Service (WINS) is Microsoft’s implementation ofNetBIOS Name Server (NBNS) on Windows and is very similar to the relation-ship between DNS and domain names. This is a basic service for NetBIOScomputer names, which are dynamically updated and mapped through DHCP.WINS allows client computers to register and request NetBIOS names and IPaddresses in a dynamic, distributed fashion to resolve locally-connectedWindows computer resources.

A single network may have several WINS servers operating in push/pull repli-cation, perhaps in a decentralized, distributed hub-and-spoke configuration.Each WINS server contains a full copy of every other WINS server’s recordsbecause there’s no hierarchy as with DNS — but the database may still bequeried for the address to contact (rather than broadcasting a request forthe right one).

WINS is only necessary if pre-Windows 2000 clients or servers or Exchange2000/2003 clients are present and resolving NetBIOS names. Realistically,most networking environments are better served by DNS as a preferablealternative to WINS, particularly in Windows Server 2003 or 2008 environ-ments. However, WINS remains an integral function in Windows network tosupport older clients using legacy software.

Application accessTerminal Services (TS) in Windows Server 2008 implements Microsoft’s mostpowerful centralized application access platform and offers an array of newcapabilities that reshape administrator and user experiences alike.

TS provides centralized access to individual applications without requiring a full-fledged remote desktop session (although that’s still an option).Applications operating remotely are integrated on local user desktops, wherethey look and feel like local applications. An organization can employ HTTPSover VPN to secure remote access to centralized applications and desktops.

Using TS in a Windows Server 2008 environment enables you to:

� Deploy applications that integrate with the local user desktop.

� Provide central access to managed Windows desktops.

� Enable remote access for existing WAN applications.

� Secure applications and data within the data center.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 33

Windows Server 2008 TS includes the following features:

� TS RemoteApp: Programs accessed through TS behave as if they runlocally on a remote user’s computer. Users may run TS RemoteApp programs alongside local applications.

� TS Gateway: Authorized remote users may connect to TS servers anddesktops on the intranet from any Internet-accessible device runningRemote Desktop Connection (RDC) 6.0. TS Gateway uses RemoteDesktop Protocol (RDP) via HTTPS to form a secure, encrypted channelbetween remote users.

� TS Web Access: TS RemoteApp is made available to remote end usersthrough TS Web Access, which can be a simple default Web page used todeploy RemoteApp via the Web. Resources are accessible via bothintranet and Internet computers.

� TS Session Broker: A simpler alternative to load-balancing TS is providedthrough TS Broker, a new feature that distributes session data to the leastactive server in a small (two to five) farm of servers. IT administratorscan even map several TS IP addresses to a single human-addressable DNSname, so end users needn’t be aware of any specific settings to connectand reconnect TS broker sessions.

� TS Easy Print: Another new feature in Windows Server 2008 enablesusers to reliably print from a TS RemoteApp program or desktop sessionto either a local or network printer installed on the client computer.Printers are supported without any installation of print drivers on the TS endpoint, which greatly simplifies the network sharing process.

In addition, the Application Server role in Windows Server 2008 provides anintegrated environment for customizing, deploying, and running server-basedbusiness applications. This supports applications that use ASP.NET, COM+,Message Queuing, Microsoft .NET Framework 2.0/3.0, Web Services, and dis-tributed transactions that respond to network-driven requests from otherapplications and client computers.

The Application Server role is a requirement for Windows Server 2008 environ-ments running applications dependent upon role services or features selectedduring the installation process. Typically, this role is required when deployinginternally-developed business applications, which might be database-storedcustomer records interfaced through Windows Communication Foundation(WCF) Web Services.

Data-based servicesCentralized application and data access helps secure sensitive and/or per-sonally identifying information to the remote working environment. Less data


06_180433 ch02.qxp 2/25/08 7:43 PM Page 34

leaving the corporate network reduces the risk of accidental or incidentaldata loss through the interception, theft, or misplacement of company note-books. Through TS Gateway and TS RemoteApp, participants can be limitedto a single application or several resources, without exposing any more infor-mation than necessary to do their jobs.

For those mobile users out in the field, BitLocker Drive Encryption provides a complete cryptographic solution to safely and securely store sensitive data at rest. Everything up to core Windows operating system data and filesgets cryptographic coverage so that tampering by unauthorized parties isthwarted, even if the hard drive is removed and the notebook is manipulatedin any way.

Windows Server 2008 File Services are technological provisions that facilitatestorage management, file replication, folder sharing, fast searching, andaccessibility for UNIX client computers. See Microsoft TechNet articles forinformation on these features.

Web-based servicesTask-based Web server management is handled in Internet InformationServices (IIS) 7.0, a powerful, modular platform for remote applications andservices with enhanced security, featuring health monitoring for Web services.IIS 7.0 and .NET Framework 3.0 provide the basis for application and user connectivity, enabling users to distribute and visualize shared information.

Windows Server 2008 SharePoint Services is a scalable, manageable platformfor the collaboration and development of Web-based business applications.This can be installed as an integrated server role through the new ServerManager console — no more downloading and running Setup. The SharePointProducts and Technologies Configuration Wizard runs you through the instal-lation process for server farm configurations, dramatically easing the deploy-ment options for large-scale enterprise networks. Consult Microsoft TechNetarticles for more information on SharePoint Services.

What enterprises wantEnterprise wants and needs far exceed anything the desktop or workstationconsumer group can possibly offer. Most of those wants and needs centeraround managing resources or maintaining connections among desktops,workstations, and other server computers.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 35

Active DirectoryActive Directory (AD) is an implementation of the Lightweight DirectoryAccess Protocol (LDAP), a protocol and service framework that deliversdirectory services to Windows-based networks. AD provides central authenti-cation and authorization services, global policy assignment, widespread soft-ware deployment, and large-scale updates for an entire organization.

AD Directory Service (DS) is used to centrally store and manage informationabout the network resources spread across a given domain. The frameworkitself holds a number of levels that include forests, domains, and trees, asdescribed in fuller detail in Chapters 7 and 8.

Access controlsEmployees are defined by their roles or capacities within an organization.There are leadership roles, management roles, and general occupational rolesto fulfill, each defined by separate duties, privileges, and responsibilities.Among those privileges and responsibilities are varying layers of access tobusiness-related information. For example, a general employee has no realreason to access or modify management-related information, such as workschedules or other employees’ contact information.

In much the same way, users are defined in a system by their access privi-leges on that system. Access controls are captive restrictions set in place onserver computers necessary to prevent accidental, intentional, and unautho-rized use of data, files, and settings, particularly those critical to systemoperation.

One feature Windows Server 2008 brings to the table is Network AccessProtection (NAP), which enforces strict health checks on all incoming clientconnections. That is, it inspects the state of the client to make sure it meetsrequirements for antivirus and antispyware coverage and currency, Windowsupdate currency, and so forth.

Policy-based controlsPolicy-based controls on the Windows Server 2008 platform are evident virtu-ally anywhere a user or process interacts with the system. Active Directory(AD) Domain Services are a global configuration policy-driven frameworkused to define various Windows network parameters for an entire organiza-tion. Policy-based control is also apparent in protective access mechanismsdeployed on the network to enforce certain requirements for connectingcomputers.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 36

Microsoft’s Network Policy Server (NPS) is an implementation of RemoteAuthentication Dial-In User Service (RADIUS), a network-policy checkingserver and proxy for Windows Server 2008. NPS replaces the original InternetAuthentication Service (IAS) in Windows Server 2003 and performs all thesame functions for VPN and 802.1x-based wired and wireless links, and per-forms health evaluations before granting access to NAP clients.

Policy-based controls also encompass the variety of various Windows Server2008 core components and features like network protocol-oriented QoS andsystem-wide directory services provided through AD.

Client managementIn addition to NAP features that ensure an optimal level of health forWindows Server 2008 networks, a number of other useful client managementtools are natively available on the platform. TS Remote Desktop Connection(RDC) 6.0 remotely verifies that clients are connecting to the correct comput-ers or servers. This prevents accidental connections to unintended targetsand the potential to expose sensitive client-side information with an unautho-rized server recipient.

TS Gateway also provides for endpoint-to-endpoint sessions using theRemote Desktop Protocol (RDP) with HTTPS for a secure, encrypted commu-nications channel between various clients that include FreeBSD, Linux, MacOS X, and Solaris.

Software deploymentThere’s a lot of redundancy in virtually every modern computing and net-working environment. There are multiple workstation computers for multipleemployees, possibly built with dual memory banks, dual-core processors,and doubled-up RAID drives and NICs, communicating with load-balancedservers operating in round-robin fashion — just to give a thumbnail perspec-tive of a much bigger portrait. Chances are good that in an environment likethis, when you configure, install, or modify something once, you’ll have torepeat that same action elsewhere.

Large-scale software deployments are one clear instance of this observation.Generally, you don’t install just one computer but several. It may be a fewdozen, or it may be several hundreds or thousands. Either way, do you reallywant to process each case individually by hand? We didn’t think so, and nei-ther do most administrators, which is why you hear things like “unattended”or “automated” installation.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 37

Windows Server 2008 further enhances the software deployment cycle byrealizing a simple principle: Build a modular, easily modified, unified imageformat through which all subsequent installation images are created, eachunique only in the features it removes or adds to the base. The WindowsImaging Format (WIF) creates an abstract modular building block for operat-ing system deployment so that you can create in-house install images thatincorporate whatever applications, configurations, or extensions you deemnecessary. Then, you can roll out multiple installs at a time in a completelyself-contained, automated fashion that can even include previously backed-up personal user data and settings.


06_180433 ch02.qxp 2/25/08 7:43 PM Page 38

Chapter 3

Building Your NetworkIn This Chapter� Designing networks that work

� Understanding the fundamentals of network design

� Situating servers and other network devices

� Double-checking your design work

� Mapping your network

Whether you’re constructing a complete network or simply renovatingan existing network, the basic approach is the same. You begin by

planning what you want to implement, and then you gather the ingredientsnecessary to realize your plans. Next, you have to execute those plansaccording to the blueprint that you devised. The execution of any successfulnetwork project plan involves bringing all the pieces together, applying solidorganizational principles to your network, and documenting what you add(and what’s already in place) to your network.

Developing a Network Implementation Plan

Whenever you set forth on a network project, start by analyzing your require-ments. If you’re building a network from scratch, this phase can take weeksor even months of effort; if you’re simply extending or repairing an existingnetwork, planning may take a day of your time or less.

Whatever your project’s scope, your plan should contain the following:

� A brief statement of your overall objectives, plus a more lengthy statement of requirements that addresses the following:

• What applications and services users need to access

07_180433 ch03.qxp 2/25/08 7:44 PM Page 39

• Estimates of user-to-server bandwidth requirements

• Estimates of server-to-server bandwidth requirements (where applicable)

For example: The new XYZ Inc. network will provide 60 users withaccess to Windows Server 2008 file and print services, plus access to aSQL Server sales and inventory database. Each user will require no morethan 6 Mbps bandwidth, and there are no server-to-server bandwidthrequirements during business hours because all backups are scheduledfor after-hours and weekends.

� A complete list of all the elements that you must purchase or other-wise acquire to meet those objectives.

For example: At, XYZ Inc., three different department servers(Accounting, Manufacturing, and Sales) will act as routers to link twonetwork segments of 10 users each, for a total of six user segmentsbased on 100 Mbps Ethernet. The three servers will be connected with a1000 Mbps Ethernet backbone using Gigabit Ethernet (GbE). We will pur-chase six 16-port 10/100 Ethernet hubs (one per user segment, each withtwo GbE links for the corporate backbone) to leave room for growth, andthree dual-core 2.13 GHz Intel Xeon 3050 server machines, each with 8GBRAM and 2TB of disk space, along with a 16-port GbE switch to handlethe backbone itself. We will also attach three Buffalo TeraStation Pro IInetwork attached storage (NAS) units so that we can back up all threeservers across the backbone.

� A description of the role each element will play on the network, thelocation of each element on the network, the configuration of eachelement, and the time during the installation process in which youplan to add each element to the network.

You should use a map or a set of plans to help you place cables, comput-ers, and other components, and a timeline to indicate the order in whichyou have to install everything.

For example: The Accounting server will handle users from theAccounting and Purchasing departments; the Manufacturing server willhandle users from the Manufacturing and Engineering departments; theSales server will handle users from Administration as well as from theSales and Marketing departments. All servers, the backbone, and allhubs will be installed when the company is closed between Christmasand the new year. The network should be operational when normal busi-ness operations resume. A map of this network appears in Figure 3-1.

� A test plan that describes how you plan to test individual elements,individual cable segments, and the entire network (including who isresponsible for specific tasks) to make sure everything functions prop-erly after you finish the installation.

For example: The three servers will be installed first and tested individu-ally the weekend before the Christmas break. On December 23 and 24,


07_180433 ch03.qxp 2/25/08 7:44 PM Page 40

the GbE backbone will be installed. On December 28, the backbone willbe tested. On December 28 and 29, the hubs will be installed and tested.On December 30, workstations on all existing 10-Mbps cable segmentswill be connected to the new 10/100 hubs and tested individually. FromDecember 31 to January 2, automated testing software will exercise theentire network. On January 3, a network technician will visit our sitewith Bob, the site administrator, and any last-minute changes, repairs,and adjustments will be performed. We believe the network will be readyfor use on January 4.

Sales server

3rd floor

GbE

back

bone

Networkattachedstorage(NAS)

2nd floor

1st floor

Accountingserver

Manufacturingserver

Switch#3

Switch#2

Switch#1

Bob Toffice 314

Fred Coffice 315

Betty Aoffice 304

Administration(3 PCs)

Sandra Soffice 201

Yvonne Noffice 210

Accounting(10 PCs)

PC 1

PC 14room 101

Manufacturing(14 PCs)

Mary Boffice 313

Mary Boffice 309

John Foffice 316

Sally Poffice 320

Sales(10 PCs)

Shawn Ioffice 211

Carl Koffice 220

Purchasing(10 PCs)

Alex Toffice 102

Sandra Rroom 107

Engineering(14 PCs)

Sheila Eoffice 303

Jeff Loffice 302

Sam Koffice 301

Sandy Yoffice 305

Donna Boffice 308

Marketing(7 PCs)

GbE

back

bone

Figure 3-1:A simple

map of XYZ Inc.’s

networkshows allswitches,

servers, and cablesegments

laid over a simple

floor plan.

41Chapter 3: Building Your Network

07_180433 ch03.qxp 2/25/08 7:44 PM Page 41

This plan helps you to decide where you must place key network elements,such as servers, switches, routers, and other network devices. More impor-tantly, the plan also helps you determine what type of network technologyand bandwidth you need to deploy to meet your objectives. Because mostbusinesses work on a budget, building a plan also helps you make sure thatyou won’t try to spend more than you’re allowed to spend or incorporatemore exotic technologies than you can afford. Your network implementationplan should also help you evaluate your current network backbone or plan anew one to be able to carry all the traffic that normally comes together onsuch critical network segments.

Understanding Network Design’s Barest Basics

The possible implementations from which you can choose when designing anetwork are innumerable. To help you distinguish between what’s improba-ble, possible, feasible, and recommended when designing your network,here’s a set of helpful guidelines:

� Select a network technology: When adding to or expanding an existingnetwork, this decision is easy — it simply requires choosing somethingidentical to or compatible with whatever you’re using. For new net-works, you need to analyze what kinds of applications and servicesusers require:

• For ordinary office work (e-mail, word processing, spreadsheets,basic database access, and so on), 10/100 Mbps Ethernet works well.

• For high-traffic or real-time applications — such as Computer Aided Design (CAD), imaging, video conferencing, and voice overnetwork — either 100 Mbps Ethernet or GbE to the desktop makessense, depending on end-user bandwidth requirements.

• For high-availability or mission-critical business applications — suchas on-demand services and business-to-business applications —both redundant network configurations and failover clustering(first introduced in Chapter 1) should be part of your initial ITinfrastructure design.

It’s seldom necessary to deploy GbE to all desktops, but some may needit. So plan carefully to provide gigabit connections to those who do needit, and likewise, plan your backbone carefully to make sure it can handleall the aggregated bandwidth needs. (In some rare cases, a 10 GbE back-bone might be required, but usually not for most small- to medium-sizedoperations.)


07_180433 ch03.qxp 2/25/08 7:44 PM Page 42

� Position office equipment close to users: When designing a network,the smartest thing you can do is minimize the distance between usersand the resources they use most. This applies to printers (so usersenjoy easy access to output), servers (so cable runs needn’t be toolong), and other resources (such as fax machines, scanners, andcopiers) that users need to access to do their jobs.

� Closely situate mutually-dependent servers: Keep in mind that someservers act as front-end clients to other servers, which stands in con-trast to the typical client-server role. Maintain close proximity for theseservers to minimize bandwidth utilization to a reasonable level andleave the longer pathways between client and server.

� Build an online work environment: When designing a network, youalso have to take into account current working patterns and arrange-ments in your offices. (For example, if the Accounting and Purchasingdepartments work together all the time and use the same applications,perhaps they should share a server.) This also applies to the type of net-work you build. For small companies, centralized control and tight secu-rity may hamper your workers; in large companies, centralized controland tight security are the norm. You must serve the communities thatcurrently exist in your organization and use the network to help userscommunicate and be as productive as possible.

� Arrange servers, hubs, and other key resources: The places wherewiring congregates — namely at punchdown blocks, wiring centers, andequipment rooms (or closets) — sometimes dictate where certain equip-ment must be placed. Be sure to check the distance between those loca-tions and the areas where workers reside. In most cases, offices aredesigned to support cabling from a centrally located wiring center orequipment room for groups of offices. If that isn’t the case in your work-space, you may have to add new equipment rooms and wiring centers ormove workers to bring them closer to existing facilities. Either of thesesolutions takes time and costs serious money, so be sure to get manage-ment involved in deciding which options make the most sense for yourorganization.

� Build better backbones: Depending on your network technology choice,you’ll probably want to arrange your network to include a special high-way for data to travel across when multiple network cables cometogether. This can happen between servers, as with the XYZ Inc. exam-ple in this chapter. Such portions of the network are called backbones.

A backbone can be something as simple as a so-called collapsed back-bone, in which a high-speed switch links multiple cable segments andprovides a single, high-speed connection between all cable segments. Abackbone can also be as complex as a staged backbone, in which inter-mediate segments jump from switched 100 Mbps-Ethernet to switchedGbE at the server (as in the XYZ Inc. example in this chapter). Morecomplex backbones might even include a segment of 10 GbE on theinnermost segment, where traffic is heaviest.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 43

� Plan for growth: When planning a network, include at least 30 percentspare, unused capacity in your design. This spare capacity shouldinclude network ports (unused ports on switches), unused networkcables in offices and cableways, and bandwidth on individual networksegments and switches. That way, you can grow within your currentenvironment for a while without having to redesign your network on aregular basis. If your annual growth rate exceeds 30 percent, design atleast one year’s planned growth into your network — better yet, oneyear’s planned growth plus 30 percent.

� Work within the system: As you discover when you start deploying anetwork in any organization, networks have a political as well as a tech-nical side. When you plan a network, you should work within yoursystem in at least two ways:

1. Make sure that management knows about and approves of what you plan.

2. Make sure that you handle the work, contracts, purchases, and so on within the rules and regulations of your organization.

If you neglect either of these guidelines, the only thing you’ll learn howto network is trouble!

� Check your design: After you put a network design down on paper,review that design against what you know about the network technolo-gies it uses. Be especially careful to check maximum cable lengths, maxi-mum number of devices per segment, and maximum number of cablesegments and devices between any two ends of the network against therules that apply to the technologies you plan to use. You don’t want tobuild a network that tries to break these rules. If you do, your networkmay not work, or worse, it may work for a while and then quit workingwhen you add users or devices. If you check your work before you build,you won’t try to build something that can’t work or that’s inherentlyprone to trouble.

� Ask for a sanity check: After you’ve put a network design down onpaper and checked your work, you should also solicit input from one or more networking experts. Redesigning a network is always easierwhile it’s still on paper; you don’t want to fix a flawed design after you’vebuilt a network. The more qualified advice you get before you startbuilding, the better off you’ll be in the long run. In fact, this advice isworth paying for because it can save you a world of hurt (or your job,for that matter).

Although this list of network design principles isn’t exhaustive, it should leadyou toward designing a network that works best for your organization.Because these guidelines consider work patterns, politics, and organizational


07_180433 ch03.qxp 2/25/08 7:44 PM Page 44

rules as well as technology, the resulting network should serve your organiza-tion well for more than just technical reasons.

Deciding Where Networking Devices Must Go

You must purchase the necessary equipment, cables, connectors, and so onand start deploying the components that make a network work. When youstart situating key network equipment — including servers, storage orbackup devices, switches, and routers — you need to make some importantdecisions about how to situate them particularly as they fit into your existingnetwork plan.

For small organizations of 25 people or less, using separate locked facilitiesto store hubs and servers may not make sense. Small organizations tend tobe more informal and are less likely to have the kind of budget that supportsa full-time information systems (IS) staff. In these circumstances, you usuallywant to situate your networking gear along with all your other gear — out inthe open with other equipment for easy access to one and all. If you do putthe networking gear out in the open, make sure that only users with validpasswords can log on to such equipment. Otherwise, we highly recommendlocking it up.

Larger organizations tend to be more concerned about security and control,and therefore, they usually situate key networking components in lockedequipment rooms and in locked wiring closets or wiring centers at variouslocations around their offices. Because the equipment has to be close to thewiring, it isn’t uncommon for servers to reside in wiring closets along withpunchdown blocks, switches, and other networking equipment.

Only authorized personnel should be allowed to access these facilities.Likewise, only authorized personnel should be allowed to add users or equip-ment to the network, usually within a system of regularly scheduled updatesor maintenance. In office buildings, for example, this usually means one ortwo wiring closets or equipment rooms per floor, where only authorized per-sonnel have keys or access codes to get into these rooms.

Choose an approach to situating your servers that makes sense for yourorganization, and stick with it. If you’re going to follow rules for placingequipment, share those rules with employees so that they know what’s goingon. In fact, formulating a security policy for most networks is a smart move,and you should regularly explain that policy to your employees in detail. (Formore information on this subject, see Chapter 14.)


07_180433 ch03.qxp 2/25/08 7:44 PM Page 45

Most small- to medium-sized companies — such as the fictitious XYZ Inc.mentioned in this chapter — put their servers into small, locked rooms ateach end of the floors they occupy in an office building. This keeps the dis-tances between users’ desktops and the wiring centers acceptably low andputs their servers alongside the punchdown blocks and switches they use,which helps manage wiring. This approach also provides controlled access to the equipment and software that makes their networks work in a smallnumber of closely managed locations. Finally, it addresses the need for ade-quate ventilation and power control that hubs and servers require for properoperation, which many wiring closets don’t offer.

Consider Hiring an Expert to InstallCable and Equipment

Normally, you install cable and equipment at the same time you build a net-work. You may run your own cables for your network and perform all equip-ment installation and configuration yourself; you may contract both the cableand equipment installation out to third parties, or you may choose somepoint between these two extremes. Whichever way you go, somewhere alongthe way you’ll be ready to put the finished pieces of your network together.

When it comes to installing cable, we highly recommend that you employexperienced cable installers with good references. The company that owns oroperates your office building may even require a licensed cable installer toperform any such work. Here’s why this is a good idea:

� Adherence to building and fire codes is mandatory, but it can also betricky; working with an experienced professional is a good way to avoidtrouble.

� Cable placement and routing are sensitive; trained professionals knowhow to avoid potential trouble spots and always test their work to makesure that the network will behave properly.

� High-speed networks are much more finicky and prone to installation dif-ficulties than lower-speed networks. The faster you want your networkto go, the better off you’ll be if you leave the cabling to an expert.

� Consult with network installers and professionals to acquire an accurateconcept as to how to lay your cable. They don’t necessarily have toinstall your network if you already have capable hands onboard, but inthe event you receive outside assistance, make sure they provide youwith the cabling plans for your organization.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 46

Always Check Your Work!If you decide to install cable and/or equipment yourself, we strongly advisethat you bring up your network in small, manageable pieces. When installingmultiple cable segments, as when linking one wiring closet to another or eachwiring closet to the backbone, bring up individual segments one at a time and test them to make sure each one works before connecting all of them.Likewise, if you’re installing a backbone or a server cluster, test individualcomponents separately before trying them out en masse.

When you install equipment, apply the same principles. After you install andconfigure a machine, check it by itself to make sure it works before attachingit to the network. This is as appropriate for switches and routers as it is forserver and desktop computers, as well as network attached storage devices.

Our suggestions on piecewise checking and gradually increasing the com-plexity of your network come from experience. We found out the hard waythat throwing everything together at once can cause problems that are toohard to troubleshoot because you have to deal with too many unknowns.

Evaluating Your Network’s Performanceand Usefulness

After you build a network, you may be tempted to rest for a while to enjoyyour success. After all, you’ve earned it, right? Well, although you should certainly pat yourself on the back, you should also realize that the real workbegins as soon as users start using the network (or a new portion of an exist-ing one). If you’re responsible for a network, you must not only keep thingsrunning for the moment, but also keep them running — and running well —over time.

Whereas the network you build or extend may meet your users’ initial needs,any network’s capability to meet users’ continuing needs diminishes overtime. Growth, change in technologies, and new applications and servicesguarantee that nothing stays the same for long in the workplace — thisincludes your network as well as the systems and services that the networkdelivers to your users.

Therefore, you need to conduct regular reviews of how well your networkmeets users’ needs. In small or slow-growing organizations, you may have toreview the network only once a year. In large or fast-growing organizations,you should review the network on a quarterly basis.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 47

Your network review should include at least these three elements:

� Traffic analysis and usage review: You can conduct this yourself byusing the built-in Windows Server 2008 tools and facilities, such asSystem Monitor, and third-party software tools. The idea is to take a per-formance and behavior snapshot of your network during ordinary-load,light-load, and peak-load conditions. If any of these loads encroach onthe boundaries of what the current design can reasonably support, startplanning to extend and expand your network.

� User interviews: You can interview selected users on a one-on-one basisin your organization or hold meetings with individual workgroups anddepartments. The idea is to give employees a chance to share theirobservations, gripes, and wishes regarding the network. This can giveyou a great opportunity to not only gauge user satisfaction and network-ing knowledge, but also determine whether you should give employeesadditional training on how to use the network more effectively.

� Management review: You should meet with members of managementregularly to find out what they’re planning and what future information-processing needs they’re considering. You can also gauge management’simpressions of and beliefs about the network as you report your findingsfrom the previous two items to them.

If you perform these reviews and keep in touch with upcoming changes andrequirements, you can keep your network and your organization better syn-chronized. Planning for change and growth is essential to modern networksbecause they’ve become critical business tools that organizations depend onto do their work. If you take an active approach and plan, you can stay aheadof the curve!

Creating a Network MapEarlier in this chapter, we introduce you to most of the basic principlesinvolved in designing and building a network. By now, you have a pretty goodidea about how networks work. As you spend more time around networks,however, you may realize that what they do isn’t nearly as important as whatyou know about what they do.

Whether you wrestle with networks only occasionally or full-time, you maydiscover that there’s nothing like a network map to help you find and keeptrack of routers, switches, and other network appliances on your network.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 48

It isn’t a map; it’s the whole enchiladaCalling the collection of data that describes your network a map doesn’t dothis concept justice. A network map is certainly more than a mere drawingthat shows where network components live on your network, but creatingsuch a drawing is a great way to start building a network map. If you look atthe following list of devices and properties that a network map should con-tain, you’ll see why such a map is more than a mere depiction:

� A list of all computers on your network, with supporting documentation

� A list of all network equipment — such as servers and switches, plusany routers, firewalls, and so on — with supporting documentation

� A list of all printers and other similar equipment on the network — suchas scanners and fax machines — with supporting documentation

� Lines to indicate where cables run and where punchdown blocks, wallplates, and other media-related elements are located

Capturing data for your network mapBecause a network map is so important and such a powerful tool, pause righthere and start one immediately. Be prepared to spend some time and energyon this project because most of the data that makes up a network map isscattered all over the place.

Building a detailed network map is a worthwhile investment. It can pay foritself many times over as you come to depend on it. At worst, you discovermore about your network than you ever wanted to know (but not more thanyou’ll ever need to know). At best, you get to know your network so well thatit will seldom throw you a curve ball — and you may even find some things totweak and tune while building that map.

Starting at the foundationObtaining a set of your building’s architectural drawings or engineering planscan help a great deal. If you can find any drawings or plans, take them to anarchitect’s supply store and make copies that you can mark up and use as abase map. (Most plans are created using an old-fashioned, ammonia-basedcopying system called blueline. You can copy even large-sized plans for lessthan $25 per plan.)


07_180433 ch03.qxp 2/25/08 7:44 PM Page 49

If a professional cabling outfit installed your network, you should be able toget a copy of their cabling plans, which work even better than architecturaldrawings or engineering plans because they probably already show wherethe cable is laid and how much of it you have. This is another good reasonthat do-it-yourself may not be the best way to cable your network.

If no such plans are available, you can sketch a room-by-room layout on rec-tangular grid paper (such as an engineering pad) to make it easy to draw toscale. Be sure to mark the location of machines, devices, approximate loca-tions for cable runs, and so on. A network map drawn to scale enables you tovisualize the network layout, including any potential problem areas or unfore-seen complications in the final design.

Anything on your network should be on the mapAnything that merits attention or costs money is worth recording on yourmap. You don’t need to go into great detail about each and every connectoror note the exact length of every cable. (Approximate lengths within a meteror so are useful, however.) Indicate every major cable run, every computer,and every piece of gear attached to the network.

Taking stock of your networkThe information you gather while producing a network map creates adetailed inventory of what’s on your network and where everything’s located.Unfortunately, you quickly find out that this is a lot of information.

To make keeping an inventory easy for yourself (and for anyone who followsin your footsteps), build a template or form that you can fill out for each itemon the network. This approach forces you to collect consistent informationand makes delegating information gathering to others easier. Include all ofthe following information for each computer on the network:

� The hardware configuration for each machine: Include a list of allinterfaces and their settings, information about installed RAM anddrives, and the make and model of the keyboard, display, and so on. Ifyou can find out who sold you the equipment, write that down, too.

Keeping track of equipment is typically the accounting department’sresponsibility. Check with those folks for a copy of your company’s capi-tal assets or a depreciable items inventory (if available). This type ofdocumentation normally includes serial numbers and other identifica-tion for hardware on the network. If no one in your company has gath-ered such information, collect it yourself. It’s valuable.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 50

� The software configuration for each machine: Include lists of configura-tion files, operating system data (including version number, most recentService Pack applied, and so on), as well as a list of programs and ver-sions installed on the machine.

� The network configuration for each machine: Include the make andmodel of each network interface card (NIC), plus a list of driver files with names, version numbers, dates, and sizes. You can capture suchdata to a file easily on Windows systems by choosing Start➪Programs➪Accessories➪System Tools➪System Information➪Hardware Resources;use this as the basis for this inventory. (On Windows XP, Windows Vista,and Windows Server 2003/2008 systems, the menu selection begins withStart➪All Programs.)

In addition to information on each computer, your inventory should alsoinclude the following data:

� A list of other equipment, such as switches, routers, storage devices,and printers: Include the manufacturer, model, make, and serial numberfor each piece of equipment. If the equipment includes memory modules,disk drives, or plug-in interface cards, get information about them, too. If the equipment uses software or firmware, record the name, version,release date, and any other information you can garner about such items.

� A list of all the cable segments on the network: Give each segment aunique name or number and associate your records with whatever typeof identifier you use for those segments. Record the type and make ofcable, its length, the locations of its ends, and any significant connec-tions or intermediate locations that you may have to visit in the future.

� A list of all the vendors who’ve worked on your network or itsmachines: Include names and phone numbers of contacts at each operation. This can be a valuable resource for technical support andtroubleshooting. Over time, add the names and phone numbers of techsupport or other individuals at these organizations who prove to beknowledgeable and helpful.

Essentially, the information gathered while creating and maintaining a net-work map forms a database of everything anyone needs to know about yournetwork. To improve access to and usability of this data, consider storing thetext for your network map in an honest-to-gosh database engine. If this is toolabor-intensive, a file- or paper-based approach works, but it takes moreeffort to maintain over time. Whichever method of recording data for yourmap you use, be sure to keep your inventory complete and up-to-date.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 51

Applications such as Visio (Microsoft Office’s diagram and visualization appli-cation that can be found at http://office.microsoft.com/en-us/visio/default.aspx) and Cheops (an active network visualization toolthat can be found at http://cheops-ng.sourceforge.net/) can helpyou create network maps. Search your favorite search engine using the key-words network visualization to find other applications and companies thatcan help you with this process. If you don’t want to spend money on such atool, add the words free or open source to the front of the search string.

When the network changes, so does the map!One thing that you can always be sure of when it comes to networks: They’realways changing. Your map is only as good as the information it contains.And the map remains useful only if that information is an accurate reflectionof the real network in your organization.

Whenever anything changes on your network, make updating the map and itsassociated database a priority. Sitting down and checking your map is muchless work than walking around and looking at the real objects that the mapshows. If the map is current, you can keep on top of things from the comfortof your office. If it’s out of date, you’d better start walking!

Network Interfaces: Built-ins versus Extender Cards

Integrated and add-in components continue to define the basic classificationsfor most computer hardware. Some consumers, consultants, and computergeeks swear by and base buying decisions purely and solely on this distinc-tion. Why, then, is this distinction so incredibly special?

The advantages and disadvantages for built-in versus extender cards used tobe much different only a few years ago, when components and technologiesjust weren’t up to speed with the best-of-breed, high-speed network capabili-ties. As internal processing power and speed continue to increase, so doesnetworking power — albeit separately and for its own reasons. Point being,these two computing properties are beginning to find that happy medium,which is perhaps best illustrated by the fact that GbE network interfaces arebuilt into most contemporary retail motherboards, and server motherboardsusually have two or more built-in GbE interfaces.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 52

One primary difference remains unchanged: serviceability. Clearly an inte-grated network solution is an island unto itself when damaged, even thoughit’s physically very much a part of the motherboard. That’s actually the crux of the problem — it can’t (easily, if at all!) be removed, and replacementcan be costly, up to whatever the price of the same or similar motherboardreplacement costs. Usually it isn’t so bad — a simple GbE replacement NICcosts an average of $50 as we update this chapter, whereas fancy but veryfast GbE NICs can cost from $100 to as much as $800.

As mentioned earlier, a Network Interface Card (NIC) is the basic physicalcomponent that enables you to have network capability on any given com-puter. This also requires a network stack and driver software and mayinvolve a third-party configuration utility or application.

Don’t knock your NICDon’t underestimate the worth of your NIC, and certainly don’t overestimatethe capability of a cheap store-bought generic card. The problem with cheapnetwork cards is the same as anything else: cost-saving, corner-cutting, conservative-thinking manufacturers skimp on form and feature to produce a market-ready, low-budget offering. Sure, these generic cards are okay formundane machines handling lightweight, mundane chores. But we aren’teven operating on that level — we have Windows Server 2008 to empowerand embolden our network, and there’s no sense in cutting cost on the NICbecause the difference in price is negligible to savings that can be realizedelsewhere.

Here are a few points to consider when researching NICs for your network:

� Which computers will connect to the network

� Connection types (wired, wireless) and interfaces (UTP, fiber)

� Network interface properties and services (TOE, Quality of Service, and so on)

� Security principles and procedures (encryption and encapsulation protocols)

� Server- or workstation-specific roles and responsibilities

For the most part, NICs are all the same for workstations, servers, and note-book computers. Their packaging, features, and capabilities are all specific tothe particular needs and uses for the computers they go into. The interfacesfor Ethernet and GbE are exactly the same — it’s mainly in the way that themedium is used that makes up the biggest difference. However, a fiber inter-face is incompatible with a GbE interface and requires some intervening


07_180433 ch03.qxp 2/25/08 7:44 PM Page 53

piece of network hardware to connect the two. While many such technologiescan and often do intermix on the same network, there may be performancebottlenecks that occur with each transition between separate interface typesand technologies. Such bottlenecks are unavoidable because there willalways be some transition between several network technologies and protocols in a large-scale network environment, especially the Internet.

Remember that a computer is for computing and a router is for routing.Although a computer can perform the same tasks as a router (and thensome), it may be considerably wasteful in some circumstances and just plain overkill in others. When given the option, always buy a router for rout-ing purposes and leave the computing tasks to computers (and vice versa).

Don’t stub your TOE (TCP Offload Engine)Why make something your responsibility if it doesn’t have to be? After all,offloading responsibility is how a lot of managers — ahem, we mean manage-ment applications — operate in the network world. The TCP Offload Engine(TOE) is one such technology built into network interfaces that offloads pro-cessing of the entire TCP/IP network stack directly onto a specialized NICcontroller. This process no longer has to be the typical burden to your mainCPU and RAM!

This tactic is employed within high-speed NICs and networks (typicallyGigabit Ethernet and 10 Gigabit Ethernet) where handling network stack over-head is most significant. Because TCP is a connection-oriented protocol, thisincreases the complexity and processing overhead related to the establish-ment of serially-controlled connections, checksum and sequence number cal-culations, sliding window recalculations, and eventual connection teardownand termination. In short, there’s a lot of computation and tracking requiredwhile TCP is busy at work, and that workload increases with network speedand increased demand.

TOE is a response to the increased load and network resource demandimposed by GbE hardware and the invariable increase in resource utilization.When the computer carries this burden, the CPU is interrupted repeatedlyfrom processing normal applications and processes, which slows perfor-mance gradually to the point that perceptible signs of performance degrada-tion can appear. As the network expands coverage and aggregates multipleGbE links, even the most powerful servers will eventually suffer performancepenalties under intense load. Clustering, virtualization, Internet SCSI (iSCSI),and Remote Direct Memory Access (RDMA) have all contributed to theincreasing use of TOE-enabled network interface cards because they leavemore server oomph to deliver services and handle requests outside the net-work communications realm.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 54

The ever-popular ping testPerhaps nowhere is groping more appreciated than within an unresponsivenetwork environment, where it’s perfectly okay and even warranted to reachout and touch your neighbor — or several of them. Packet Internet Groper(ping) is a basic network diagnostic command that enables you to check linkstate and troubleshoot connectivity problems by sending stimulus packets toanother endpoint or intermediary device on the network, which elicitresponses from participating network devices and computers.

Ping is an essential first resort when testing network connectivity — it estab-lishes a baseline and jump-off point for further investigation or immediateresolution. You usually precede issuance of the ping command only by anobligatory physical cable connection check to ensure sanity and eliminateany silly probable causes.

Ping works by issuing Internet Control Message Protocol (ICMP) echo requestpackets to a destination and then awaits echo reply response packets. This issometimes dubbed ping and pong in honor of tabletop tennis. Ping uses inter-val timing and response rates, estimates round-trip time, and reports anypacket losses that might occur.


07_180433 ch03.qxp 2/25/08 7:44 PM Page 55


07_180433 ch03.qxp 2/25/08 7:44 PM Page 56

Chapter 4

Hooking Up Your NetworkIn This Chapter� Selecting the correct network medium

� Choosing an Ethernet technology

� Understanding the role of a network backbone

Buying computers doesn’t make a network! You have to interconnectcomputers to enable them to communicate. You can set up communica-

tions among computers in several ways; the one you choose depends onyour budget and bandwidth needs. Okay, most of it depends on your budget!

Transmission media is a fancy, generic term for cabling and wireless transmis-sion technologies. The media provide the means by which computers talk toeach other across a network. In fact, computers can communicate throughthe airwaves using broadcast transmissions, through the wiring in a building,or through fiber-optic cabling across a campus. Linking long-distance orInternet connections to local networks means that there’s almost no limit towhat your network can access!

In this chapter, you also examine different methods to interconnect networksusing cables and other media. You find out which media are appropriate fordesktop access and which work best for server-to-server activity. You alsodiscover more about network anatomy as we tackle two ticklish subjects —namely, backbones and wide area network (WAN) links.

Make a Network Medium Happy!A happy network medium has nothing whatsoever to do with a TV psychic.Rather, finding the right network medium means implementing networkcabling that won’t cause bottlenecks. Depending on whether you’re building

08_180433 ch04.qxp 2/25/08 7:44 PM Page 57

a network from the ground up or starting from scratch, you may need to takea different approach to evaluating cabling options for your network:

� If you step into a job where a local area network (LAN) is already inplace, cabling is probably in place, too. Evaluating the type, capabilities,and usability of an inherited network is almost always a good idea. Thatway, you can decide whether you can live with what you have, orwhether some change will do the network good. You may learn, forexample, that old cabling causes so many difficulties that you’re betteroff replacing or upgrading it. (We’ve popped out ceiling tiles and foundbadly spliced cables hidden from view.)

� If you’re planning a brand-new network, one of your concerns is to deter-mine your cabling needs. Decide which network cabling you’re going touse before ordering equipment for your network because you can oftenorder computers and peripherals with the appropriate network interfacecards (NICs) preinstalled and preconfigured. (Of course, NICs are prein-stalled and preconfigured on an existing network, which means yourchoices have already been made for you.) The more work you save your-self, the better!

� If a contractor handles your cabling maintenance, don’t assume thatevery old cable gets replaced if it isn’t completely up to snuff. A contrac-tor may choose to reuse substandard cables to save on material costs.Without proper wiring, your network may be in constant trouble. (Or itmay not work at all.)

If you work with a cable contractor, require the contractor to test eachnetwork cable and insist that the contractor provide you with those testresults. In fact, many companies hire one contractor to install cables andanother to test them. By doing so, they ensure that the common ten-dency to overlook errors or potential sources of problems on a networkcan be avoided — plus, it never hurts to get a second opinion.

The most common cabling technology for LANs is baseband cable, which iscable set up for baseband transmission. For this reason, we concentrate onbaseband cable in this book. Check out the sidebar titled “Use the right pipesin your network’s plumbing” for a description of baseband transmission andhow it differs from broadband transmission.

If you know what to look for, the name of a particular type of cable can tellyou all about its transmission properties. Ethernet cable notation (set downby the Institute of Electrical and Electronic Engineers, or IEEE) breaks downas follows:

� The speed of the Ethernet in Mbps

� The cable’s technology — broadband or baseband

� The cable’s rated distance in hundreds of meters or the type of cable —twisted-pair or fiber-optic cable


08_180433 ch04.qxp 2/25/08 7:44 PM Page 58

For example, 10Base5 is an Ethernet designation that stands for [10 Mbps][baseband] [5 x 100 meters = 500 meters]. From the name alone, you can tellthat the baseband cable is rated to handle up to 10 Mbps on a segment up to500 meters (1,640 feet) long.

Any time you see a T or an F in such a name, replace that letter with eithertwisted-pair or fiber-optic, respectively. For example, 10BaseT means that thisparticular baseband Ethernet cable is rated at up to 10 Mbps using twisted-pair cables. Likewise, 10BaseF means the same thing, except that it usesfiber-optic media instead of twisted-pair.

59Chapter 4: Hooking Up Your Network

Use the right pipes in your network’s plumbingWiring in a network is like plumbing in a house.Just as pipes form the pathways through whichwater flows to and from your plumbing fixtures,a network’s wiring provides the pathwaysthrough which computers transmit data usingelectrical signals. The amount of data that com-puters can move through a wiring system at any one time depends on the characteristics of the wires, or pipes, installed. The larger thepipes, the more data the computers can sendsimultaneously.

You can think of a network’s bandwidth as thesize of a network’s pipes. Bandwidth representsa range of usable frequencies and is measuredin hertz (Hz). A higher hertz rating for a networkmedium means higher available bandwidth.Higher bandwidth translates into bigger pipesto carry data. Just because you have big pipes,however, doesn’t mean you always get to fillthem completely. Therefore, it makes sense totry to measure the actual amount of data (calledthroughput) flowing through the pipes.

Different types of cabling are rated for differentamounts of data flow at different distances.Remember, however, that even if a pipe is bigenough to handle all the water you sendthrough it, that pipe can still get clogged. As a

result, although a given amount of data can the-oretically flow through a cable, in the real worldyou may see less data flow than the maximumbandwidth indicates. Plumbers will tell you that mineral deposits and other obstructionscan often restrict the water flow in pipes. Inkeeping with our metaphor, we can say thatnoise, cross-talk, electromagnetic interference(EMI), and other network maladies can oftendegrade the actual performance of your cable.Throughput, commonly measured in bits persecond (bps), describes the actual amount of data that’s flowing through a cable at any one time.

If you take one pipe and divide it into little pipes,you’ve just reinvented the concept of broad-band transmission (in which multiple transmis-sions at different frequencies use the samenetworking medium simultaneously). If the pipeis kept whole instead of subdivided, you end upwith the concept of baseband transmission (inwhich the entire bandwidth is used to carry onlyone set of frequencies and one transmission ata time).

Whew! Got all that? Maybe it’s time to call Roto-Rooter!

08_180433 ch04.qxp 2/25/08 7:44 PM Page 59

Fiber and coax make a seriously twisted pairFiber-optic cable is different from twisted-pair and coax cable because ittransmits data using light signals instead of electrical impulses. When youlook at the layout of the cable, it appears similar to coax but has a glass orplastic fiber as its inner conductor instead of a copper wire. Figure 4-1 showsyou what the inside of a fiber-optic cable looks like.

Notice that the inner glass core is sometimes called buffer coating, and theentire cable has another strong jacket around it. The outer jacket is designedto be thick enough to protect the inner fiber from being broken when thecable is handled (with care, that is).

Fiber-optic cableAlthough it has a higher price tag than electrical cables, fiber-optic cable canalso handle greater bandwidth, which means that it can transfer more dataover longer distances. Fiber-optic cable is largely immune to electromagneticinterference (EMI) and other sources of noise that affect electrically conduc-tive cables. One factor that adds to the expense of fiber-optic cable is thecare required during installation. A knowledgeable technician must carefullypolish each glass fiber with specialized tools and then add special connec-tors to the cable.

You often find fiber-optic cable installed between buildings in campus envi-ronments or between floors in a building. You rarely see fiber pulled to the

Outer jacket

Buffer coating

Cladding

CoreFigure 4-1:An inside

view offiber-optic

cable.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 60

desktop because of the expense involved — you must use fiber-optic NICs,and you must attach two cables to each workstation because one cable trans-mits outbound signals and the other receives inbound signals. Although theappetite for bandwidth is always increasing, don’t expect your desktop tohave a high-fiber diet anytime soon!

In some locations, such as hospitals, it’s necessary to run fiber-optic cable to some desktops because X-ray and MRI equipment can interfere with elec-trical cables. Also, the bandwidth requirements for medical imaging equip-ment can be so extreme that conventional electrical cables can’t handle thetraffic involved.

For light signals to pass through a fiber-optic cable, you have to attach atransmitter to one end of the cable and a receiver to the other end. This iswhy you need two cables to permit any one device to send and receive sig-nals. On the transmitting end, an injection laser diode (ILD) or a light-emittingdiode (LED) sends light pulses down the cable. These light pulses reflectwithin the glass core and bounce against the mirror-like cladding through thelength of the cable until they reach a photo diode receiver at the cable’sother end. Notice that data flows in only one direction. The receiver convertsincoming light pulses into electrical signals and passes the data to the NIC.

Because of the way that light pulses travel through fiber-optic cable, splicingtwo such cables requires great care so that the cable’s signal-carrying capa-bilities aren’t reduced. Otherwise, a light pulse may arrive at the splice butmay not make it through to the other end of the cable. We call this situation abad splice, but your users will call it much worse names!

Coaxial cableCoaxial cable, also called coax, was once the most popular transmissionmedium for networks. However, with the cost of unshielded twisted pair (UTP)dropping significantly in the last few years, it’s hard to justify supporting legacycoax cabling, NICs, and other network connection devices. Older networks usedcoaxial cable exclusively before UTP arrived in the mid-1980s. Initially, onlythick coaxial cable (which we like to call “frozen yellow garden hose”) was avail-able. Thick coax is quite cumbersome to handle and a real pain in the neck toinstall. Imagine pulling a frozen garden hose through the ceiling and then havingto connect transceivers (a portmanteau or combination of two words transmitterand receiver) to that cable! Maybe a frozen garden hose is easier after all. . . .

Coaxial cable incorporates two layers of insulation. Beginning in the middleof the cable and spanning outward, the cable has a copper wire surroundedby a foam insulator, which is surrounded by a wire mesh conductor that isthen surrounded by an outer jacket insulation. This jacket, in turn, is sur-rounded by a plastic casing, called cladding. Figure 4-2 shows a cross sectionof a well-dressed piece of cable.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 61

Suffice to say, coaxial cable types are a dying breed in the local network seg-ment, apart from the hybridized technology described in the next section,but remains steadfast in its behind-the-scenes placement as a provider ofmultimedia networking, television, and telephony service. We won’t go intotheir distinctions and differentiations, but we will leave you with one lastremark.

If you have a small network and a highly restricted budget, 10BaseT Ethernetis absolutely the way to go. It’s standardized, well-utilized here and abroad,and is plentiful and cheap on the open market. There really is no cost justifi-cation for legacy coaxial equipment, only the operational justification to sup-port existing legacy coaxial applications and services within the organization.

Hybrid networkingHybrid fiber-coaxial (HFC) is the telecom industry term for networks thatincorporate both optical fiber and coaxial cable to produce a broadband net-work medium for handling high load and large subscriber traffic. This seri-ously twisted pair is capable of carrying and delivering a wealth of featuresand services that include analog and digital television signals, video-on-demandprogramming, and switched digital video, telephony, and high-speed data.

HFC network coverage extends from the cable operator’s point of presence toa through point at a neighborhood hub site, which terminates at a node that

Outer casing

Wire mesh conductor

Inner insulation

Copper wire

Figure 4-2:An inside

view of coaxcable.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 62

services from 25 to 2,000 homes. This cable operator’s master location alsohouses telephony equipment for providing telecom services to the commu-nity, which is individually delivered via coax. Therefore it’s common to havethe same provider supply both phone and Internet services (and possiblypublic television access, where applicable) to the same location.

HFC is the primary technology used to service many modern cable modemcommunities, so the technology is very widespread and widely utilized. Infact, it’s likely you’re already using the technology at home or work withouteven knowing it. That’s the beauty behind transparent technologies — theywork diligently for us, sight unseen, as long as we continue to rely upon them.

Wireless is media, too!Speaking of things unseen, a relative newcomer to the high-speed networkinterface assortment is another IEEE design, the 802.11 wireless (WiFi) familyof multiple over-the-air standards and modulation techniques. There are anumber of competing technologies and substandards to the 802.11 specifica-tion, but they all essentially operate in much the same fashion. Instead ofusing hard, physical network links to transmit data, WiFi pushes and pullsinformation through the air using radio frequencies. While this brings a lot ofeye-popping reactions to those previously unfamiliar with the technology, itdoes give those of us with some working knowledge and experience of thesedevices a moment to reflect and relate the reality of such devices operatingin a business network environment.

First and foremost is the fact that no physical medium is present. This defiesthe logic built into most CSMA/CD-type of access methods, where you cansatisfy line contention by merely listening on the wire for any ongoing com-munications and waiting some period of time before trying to transmit orretransmit data. (See the “Carrier sensing access methods” sidebar for moreon CSMA/CD.) Instead, participant WiFi devices must request to speak beforeopening the lines for communication, which is a more active role than themore passive eavesdropping approach employed by 802.3 Ethernet. This cre-ates extra overhead that increases with the number of participating devicesin the effective vicinity of the radio.

This lack of physical medium also opens the network to other, unintended listeners. An eavesdropper can more easily observe, record, and potentiallyintrude upon wireless network traffic. In fact, the would-be attacker need not beinside the building to observe wireless traffic. There is also a limited effectiverange for such equipment, since radio signal has a difficult time permeatingdense walls full of thick, absorbent material like metal, wood, and other ele-ments. Shade trees can also deflect radio signals and cause connectivityproblems for courtyard or outside network coverage. Additionally, any com-peting RF devices in the area will cause distortion, noise, and contention,


08_180433 ch04.qxp 2/25/08 7:44 PM Page 63

which also reduces the effective reach and range for most WiFi devices. Soyou have to deliberately and thoughtfully design the WiFi network to fit theenvironment and its signal- or quality-reducing attributes.

Data transfer rates are typically half (or less!) of the manufacturer’s ratedspeed for any given WiFi device operating under normal conditions:

� Early 802.11b devices operate on the 2.4 GHz frequency (which inciden-tally coincides with common cordless phones and causes much interfer-ence) and tend to realize around 4 Mbps, or much less than their rated11 Mbps transfer rate.

� 802.11g, the next step up, also operates on 2.4 GHz and realizes around19 Mbps versus a 45 Mbps maximum throughput rating.

Fortunately, each device is backwards compatible in that an 802.11gdevice can and will work with an 802.11b device, but only at the maxi-mum effective throughput of the slower (802.11b) performer.

� The 802.11n standard, which has remained in draft status for quite sometime now, operates on 2.4 or 5 GHz channels at speeds between 74 Mbpsand 248 Mbps, which easily eclipses anything previously seen in an air-borne data-bearing communications medium. However, this technologyis pricey and adds more cost than actual value to networks with existingGbE or better network infrastructures.

Of all the available options, 802.11g and 802.11n are the best suited for high-speed multimedia networks, especially where multiple users are involved.

Windows Server 2008 includes several changes and enhancements to 802.11wireless support, such as a native Wi-Fi architecture that features user inter-face improvements for wireless connections; wireless Group Policy enhance-ments and auto-configuration capability; and Wi-Fi Protected Access 2 (WPA2)support. The new wireless architecture also integrates with Network AccessProtection (NPA) when using 802.1X authentication, provides Wi-Fi diagnos-tics, and supports command-line settings configuration.

A final note about cablingIf you’re going to install cable yourself instead of hiring a cable contractor,here are a few final notes we’d like to share with you:

� Obtain a copy of the blueprints for your building or floor and makesure that all the electrical devices and outlets are clearly marked.

This map assists you in placing cable away from electrical devices ormotors that can interfere with your network. You don’t want to install


08_180433 ch04.qxp 2/25/08 7:44 PM Page 64

cable near elevator motors, transformers, or other heavy-duty electricaldevices (unless you’re using fiber-optic cable, and even then, you needto protect it from potential sources of damage or wear and tear).

� Obtain all relevant local, state, and federal building code regulationsand make sure that your plans conform to such ordinances.

You need to evaluate these requirements before purchasing any cablebecause some codes require you to purchase plenum-rated, fire-retardantcable. Other codes require you to use plenum-rated cable only when yourun cable through locations that are likely to catch fire rapidly. In anycase, it behooves you to know the rules before you purchase and installa network.

Plenums are the air-handling spaces between the ceiling of one floor andthe bottom of the floor above where cable is often strung. Fires spreadmore rapidly in these areas because air carries fire rapidly; therefore,plenum-rated cable is mandated for use in such spaces to keep fire andsmoke from spreading through a building.

� Determine which parts of the network you can build and maintain onyour own and which parts you need to subcontract.

For example, if you have the time and inclination to build cables andalso have the time to troubleshoot the network when those cables don’twork, so be it. We recommend that you buy as much prefabricated cableas possible and make cables only when you absolutely must. Why?Because companies that make cables do it all the time, and they’re goodat it. If you make cables for your network only occasionally, you mayintroduce problems.

� Try to hire a contractor to install cable for your LAN.

The wiring is your network’s infrastructure. If the wiring isn’t installedproperly, it can cause endless network snafus. Wiring contractorsshould provide you with bids, install the cabling, label all cables, testand certify all cables, and provide you with final documentation. You’reresponsible for keeping them on track. Don’t assume that a contractorwill follow local ordinances unless you make him or her do it. Put allexpectations in writing and keep tabs on the work.

Raising the Bandwidth CeilingAs organizations have come to depend on LANs and WANs, they’ve put moreapplications and information on their networks. Speedy retrieval of suchinformation becomes critical to such organizations. This retrieval is wherethe need for additional bandwidth most often manifests itself.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 65

Conventional text-only documents don’t normally put much strain on a net-work. But today, data often takes the form of audio, video, graphics, andother types of multimedia. Such files or data streams are much larger thanplain-text files and often impose delivery deadlines on networks. If this ishard to picture, think how frustrating it is when the audio track and the videotrack get out of synch on your TV, and then multiply this frustration by sev-eral orders of magnitude. Then consider what delivering time-sensitive audio,video, or multimedia data over a network really requires.

Such complex forms of data can easily consume the full bandwidth of an ordi-nary 10 Mbps network while handling only one or two users’ needs. That’swhy an increasing appetite for higher-bandwidth networks is emerging in theworkplace. Such added bandwidth is increasingly necessary to handle themore complex types of data traversing the network and to prepare the infra-structure to deal with emerging applications, such as network teleconferenc-ing, network telephony, collaborative development, and all kinds of othergee-whiz technologies now under construction.

This is why we feel compelled to tell you about some of the cabling alterna-tives available for today’s networks that might be able to handle tomorrow’sbandwidth needs.


Carrier sensing access methodsNetworks use sets of rules, called protocols, tocommunicate with one another. Some networktechnologies operate in a free-for-all, in whichany computer can send and receive data when-ever the shared network medium isn’t alreadyin use.

Computers must listen to the media to determinewhether it’s in use (indicated by active signals on the media). If a computer wants to transmit, it stops and listens, like the well-man-nered little computer it is, to see whether some-one else is talking. If the computer doesn’thear any signals, it can go ahead and transmitright away. When another computer does thesame thing at more or less the same time, datafrom one computer collides with data from

another, and both computers must back off andtry again.

You want to have something in place to deal withthese kinds of collisions. Ethernet implementsCarrier Sense Multiple Access/CollisionDetection (CSMA/CD), whereas 802.11 wirelessuses CSMA/Collision Avoidance (CSMA/CA) tomonitor radio channels and wait for an opportu-nity to broadcast or transmit data. Because thereis no physical medium for 802.11 transmission,compliant network devices must be designed tolisten for radio signals on designated channels.

The names that describe how these technolo-gies access network media are called accessmethods.

08_180433 ch04.qxp 2/25/08 7:44 PM Page 66

100 Mbps EthernetTwo flavors of 100 Mbps Ethernet are available today, each with its own par-ticular access method: CSMA/CD (this means Carrier Sense Multiple Accesswith Collision Detection; we discuss it in detail in the sidebar titled “Carriersensing access methods”) and demand priority (as described later in thischapter). When proposals for 100 Mbps were solicited, two factions emerged:one that used the same CSMA/CD access method used in conventionalEthernet (now known as Fast Ethernet, or 100BaseT ) and another that used ademand priority access method (now known as 100BaseVG-AnyLAN ).

Both factions put proposals forward to implement their approaches.Curiously, both proposals were ultimately accepted as standards, but eachone fell under different IEEE committees. Today, the Fast Ethernet standardfalls under the 802.3 standards family, and the 100BaseVG-AnyLAN standardfalls under the IEEE 802.12 standards family.

100BaseT is similar to 10BaseT except that it runs 10 times faster. When imple-menting 100BaseT, you need to use equipment designed for 100BaseT through-out your network. But otherwise, designing and building the network is prettymuch the same as for 10BaseT. It’s even possible to mix and match 10BaseT and100BaseT technologies on a single network, but you need to include hubs thathave 10 Mbps and 100 Mbps capabilities to bring these two worlds together.

100BaseVG-AnyLAN offers the same bandwidth as 100BaseT but uses fourpairs of wires instead of two pairs in each cable. Doubling the number ofpairs enables a different access method, called demand priority, to controlaccess to the network medium. In addition, 100BaseVG-AnyLAN permitsdevices on the network to receive and transmit at the same time. (That’s onereason that the number of pairs doubles.)

100BaseVG-AnyLAN hubs help manage the demand priority scheme and pro-vide arbitration services when multiple requests for network access occur atmore or less the same time. When using the CSMA/CD access method, work-stations listen before sending, and they transmit as soon as they recognizethat the medium isn’t in use. This arrangement leads to collisions when twoor more stations begin to broadcast at more or less the same time, especiallyas network utilization increases. When a demand priority device wants to trans-mit data across the network, it signals the hub, and the hub determines whenthat device may access the network. This setup eliminates collisions and allowsnetworks to function at higher utilization rates than CSMA/CD can support.

On the downside, networking equipment and cabling for 100BaseVG-AnyLANis more expensive than that for 100BaseT, even though 100BaseVG-AnyLANoffers better performance. Perhaps that’s why 100BaseT has proven morepopular in the marketplace than 100BaseVG-AnyLAN has.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 67

Gigabit EthernetYou’re probably wondering what you can implement on your network whenyou start running out of bandwidth even with 100 Mbps technology. Fromthere, the next step up is to Gigabit Ethernet. Although Gigabit Ethernet technologies are currently available, they aren’t yet in broad use. However,because the need for speed will never decrease, we want to give you a tasteof this technology so you can salivate over it — even if it’s unlikely to showup in your office any time soon.

To begin with, Gigabit Ethernet isn’t typically used as a networking solutionfor the desktop. (In fact, no conventional PC or other desktop machine cancome close to saturating a Gigabit Ethernet network.) Rather, Gigabit Ethernetis used primarily as a backbone technology, especially in large networks wherecertain pathways need to carry huge amounts of traffic. Ideally, Gigabit Ethernethelps boost server-to-server communications and permits ultra-fast datatransfers between switches on a network backbone.

Gigabit Ethernet uses the CSMA/CD access method and the same frame sizeand formats as conventional Ethernet. Therefore, you can integrate this tech-nology into existing Ethernet networks easily, and you don’t need to buy newprotocol analyzers, network management software, and so forth.

To jump on the Gigabit Ethernet bandwagon, the devices you need to add toyour network include

� Suitable NICs and connectors for your servers

� Proper cables (fiber-optic, in most cases, though twisted-pair optionsare under development)

� Upgrades to the routers and switches that handle Gigabit Ethernet traffic

In some cases, this emerging standard may require you to replace certainpieces of equipment; but modern routers and switches need only newEPROM chips and upgrades for certain interface cards. Eventually, as theprice of the technology drops, you may even consider adding GigabitEthernet interfaces into your high-end workstations. This probably won’t benecessary for a few more years, however.

3com offers a terrific white paper on this technology. You can download it atwww.3com.com/other/pdfs/solutions/en_US/10g_whitepaper.pdf.It gives a great overview of Gigabit Ethernet and describes what types ofapplications demand this kind of network speed.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 68

The Backbone’s Connected to . . .Everything Else!

As mentioned in the previous section, 100BaseT and Gigabit Ethernet areboth well suited for network backbones. If networks have backbones, do theyalso have hip bones and tailbones? How about it?

In networking, the backbone is a particular cable segment that connectsother cable segments or that provides a high-speed link to accommodatehigh-volume network traffic on cable segments where large quantities of traf-fic aggregate. If you think about this situation for a minute and take a quicklook at Figure 4-3, you should begin to understand that saying “a cable seg-ment that connects other cable segments” and “a cable segment where largequantities of traffic aggregate” are two ways of saying the same thing.

Backbone

Manufacturing(Network C)

Shipping and Receiving(Network D)

Accounting(Network A)

Sales(Network B)

Administration(Network E)

Figure 4-3:A backbone

ties togetherall the

pieces of anetwork.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 69

Simply put, a backbone provides a link to tie together many other cables. Asthe demand for network bandwidth goes up for individual users, the amountof traffic that backbones must carry increases accordingly. Backbones alsooften provide links to outside resources, such as the Internet, or access tomassive centralized data collections, such as mainframe databases and their ilk.


08_180433 ch04.qxp 2/25/08 7:44 PM Page 70

Part IIServers, Start Your Engines

09_180433 pp02.qxp 2/25/08 7:45 PM Page 71

In this part . . .

Having covered server basics and introduced the starof the show in Part I, we try to cover something

more tangible in Part II — installing and setting up a net-work infrastructure built around Windows Server 2008.

Starting with the methods for and steps involved ininstalling Windows Server 2008, you’ll see and understandwhat makes it tick and how to get it up and running on a system of your careful choosing. You also learn how to organize your server-based network and set up andpopulate the directory services that are so essential to a satisfactory server situation.

Along the way, you also discover how to install and useprint services with Windows Server 2008 and how tomanage those pesky network addresses that enable PCsto communicate with each other. As you unfurl the grandstructures that support a well-designed Windows network,you’ll come to appreciate the many things it can do foryou and your users.

09_180433 pp02.qxp 2/25/08 7:45 PM Page 72

Chapter 5

Ready, Set, Install!In This Chapter� Upgrading or installing from scratch?

� Knowing whether you have the horsepower

� Walking through the Windows Server 2008 installation from DVD

� Installing Windows Server 2008 from another OS, on a network, or remotely

� Using Windows Server 2008 installation utilities

� Troubleshooting snafus

� Automating installations

Installing Windows Server 2008 is relatively easy, but getting from start tologon takes a while. Fortunately, you can reduce many of the delays with

just a little planning. And by following our suggestions in this chapter, wehope that you can avoid some common installation problems, many of whichrelate to a lack of correct equipment. We also provide a troubleshooting sec-tion to smooth out any ruffles you encounter along the way.

Windows Server 2008 further streamlines the installation process by puttingall site-specific configuration data at the end of the installation process, onyour first boot-up to a fully installed desktop. You’ll know when you reachthat point because you’ll see the Initial Configuration Tasks dialog box.

Planning the Installation: Upgrade or New?

Whether you’re installing Windows Server 2008 from scratch or upgradingfrom a previous version, planning helps to ensure a smooth installation:

� Upgrading, as the term implies, means that you want to install WindowsServer 2008 over an existing operating system on your computer and, inthe process, retain as many settings as possible. Windows Server 2008provides numerous upgrade paths from Windows Server 2003. (See

10_180433 ch05.qxp 2/25/08 7:45 PM Page 73

Table 5-1 for a complete list of upgrade paths. This table applies equallyto 32-bit and 64-bit versions; however, cross-platform [32-bit to 64-bitand vice versa] upgrades aren’t supported.)

Note that there’s also an upgrade path from beta versions of WindowsServer 2008. If you elect to perform an upgrade installation of WindowsServer 2008 from a beta, we strongly urge you to begin by backing up allthe data on every machine that you plan to upgrade. (We cover backupsin Chapter 13.) Although you can upgrade to Windows Server 2008 with-out losing data, hardware and software sometimes have minds of theirown and mess things up. A smidgen of prevention can prevent some realheadaches!

� Installing means you’re adding Windows Server 2008 to a computer thatmay or may not already have an existing operating system. On systemswith existing operating systems, you have the option to replace the cur-rent one or create a multiboot system. A multiboot system is a computerwith two or more operating systems installed. You can choose whichoperating system you wish to load at bootup. In some multiboot configu-rations, data from one operating system isn’t accessible from otheroperating systems. For example, you can’t access NTFS partitions fromWindows Server 2008 from Windows 95 or Windows 98.

Rest assured that Windows Server 2008 will install in a multiboot config-uration with Windows Vista because they share the same code base —particularly the unique Boot Configuration Data capability. So you won’thave to put forth any extra effort with these two; previous editions ofWindows (or other OS platforms) are an entirely different matter.

Table 5-1 Windows Server 2008 Upgrade PathsIf You’re Running . . . . . . Upgrade to This 2008 Edition

Standard Enterprise Datacenter

Windows Server 2003 R2 Standard Edition X X

Windows Server 2003 SP1 Standard Edition X X

Windows Server 2003 SP2 Standard Edition X X

Windows Server 2003 R2 Enterprise Edition X

Windows Server 2003 SP1 Enterprise Edition X

Windows Server 2003 SP2 Enterprise Edition X

Windows Server 2003 R2 Datacenter Edition X

Windows Server 2003 SP1 Datacenter Edition X

Windows Server 2003 SP2 Datacenter Edition X

74 Part II: Servers, Start Your Engines

10_180433 ch05.qxp 2/25/08 7:45 PM Page 74

If you’re installing Windows Server 2008 for the first time, you need to makesome decisions about how you’re going to set up the server before you installthe software. You can install Windows Server 2008 in the following threebasic ways:

� DVD-ROM: This installation requires that you have a computer with alocal DVD-ROM drive installed. DVD-ROM installations don’t require anetwork interface, but if you plan to connect the system to a network,it’s best to have the network interface in place during installation. Wefocus on this type of installation in this chapter.

� Across the network: This type of installation requires network access,where the DVD-ROM files are available. Network access can be gainedeither from an existing operating system or a boot floppy.

� Automated: This type of installation requires you to input installationinformation into a data file that you can then merge into a script file forexecution.

You can also start installing Windows Server 2008 in several ways:

� DVD-ROM boot installation: If your computer allows the DVD-ROM driveto participate in the boot sequence, you can boot the Windows Server2008 installation program right from the DVD.

� DVD-ROM from operating system installation: If the operating system onyour computer lets you access the DVD-ROM drive, you can launch theWindows Server 2008 setup without much hassle. (See the “Step by Step:Installing Windows Server 2008” section, later in this chapter, for details.)

� Across the network installation: Do this if the Windows Server 2008installation files are available from another computer on the network.You can share the files on a shared DVD-ROM drive, or copy the con-tents of the distribution DVD onto a shared network drive. See the“Installing across a Network” section, later in this chapter, for details.

� Remote installation: Microsoft offers its Remote Installation Services(RIS) to enable network administrators to push a Windows Server 2008installation out to network systems. (Pushing an installation means thatan administrator can deploy Windows Server 2008 on a network withoutgoing to every target machine to launch its setup by hand.)

Handling preinstallation tasksBefore installing Windows Server 2008, you must perform a few preparatorypreinstallation tasks. These include the following:

� Check for application compatibility. Use the Microsoft ApplicationCompatibility Toolkit (ACT) to ascertain compatibility information aboutnetwork applications and also to prepare Windows Server 2008 for

75Chapter 5: Ready, Set, Install!

10_180433 ch05.qxp 2/25/08 7:45 PM Page 75

installation. See the Microsoft TechNet Web site about Windows Appli-cation Compatibility at http://technet.microsoft.com/en-us/windowsvista/aa905066.aspx

� Disconnect uninterruptible power supply (UPS) devices. Setup auto-matically attempts to detect serially-connected devices, and UPS devicescause issues with the hardware-detection process.

� Back up your servers. Include all data and configuration settings neces-sary for function, especially with servers that provide network infra-structure services. Also include boot and system partitions and systemstate data. You may alternatively create a backup set for the AutomatedSystem Recovery process.

� Disable virus protection software. Virus detection and preventionapplications can interfere with installation tasks, particularly in the formof performance penalties because every locally copied file is scanned forsigns of infection.

� Run the Windows Memory Diagnostic tool. Test the RAM in your targetcomputer for error-free reliability and operation. Follow the instructionsdetailed in the Windows Memory Diagnostics User Guide atoca.microsoft.com/en/windiag.asp.

� Copy mass storage device drivers. Manufacturer-specific driver filesshould be stored to an easily-accessible storage medium in the rootdirectory or in a specifically named amd64, i386, or ia64 folder,whichever is most suitable for the target hardware.

� Prepare the Active Directory environment. Before adding a domaincontroller based on Windows Server 2008 to an existing Active Directory(AD) environment based on either Windows 2000 or Windows Server2003, you need to update all older domain controllers. You can do thisbefore installing the operating system — or after running Setup andbefore installing AD Domain Services.

Windows Server 2008 Server Core installation provides only the binaries nec-essary for certain server roles to function. The traditional Windows interfacewill not be installed; instead, configuration and management are handledthrough the crude but effective command prompt. This installation optionreduces server management requirements and reduces the overall attack sur-face. If you’ve heard the expression “running headless” applied to monitor-free server computers, this is akin to running faceless.

Installation of multiple operating systems on the same server to includeWindows Server 2008 should be handled through separate partitions. Forbest results, Microsoft recommends that you start Setup from withinWindows rather than booting from the install medium, and then perform aclean custom installation onto a separate partition.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 76

Preparing for the battleWe offer the following list to help you gather information and equipment youneed for your setup. The setup program in Windows Server 2008 doesn’trequire all the items that we list in the following sections, but we like to haveeverything handy when we perform an install so that we don’t need to runaround looking for things during that process.

ManualsThe following is a list of books that you may want to have within arm’s reach.(This book, of course, is the most important.)

� Windows Server 2008 manuals: In some cases, the manuals you receivewith Windows Server 2008 are in print form; in others, they’re availableonly in electronic form from the distribution DVD or online at the MicrosoftWindows Web site at www.microsoft.com/windowsserver2008/default.mspx.

� Computer hardware manuals: These are the manuals for the basemachine on which you plan to install Windows Server 2008, plus all addi-tional components or peripherals. You especially want manuals for yournetwork interface(s) and video cards.

� Modem manual (optional): Grab this manual only if you plan to installone or more modems on the server.

SoftwareIf you don’t want to hunt around halfway through the installation, make surethat you have the following software handy:

� Windows Server 2008 DVD-ROM: This disc is the DVD-ROM that shipswith Windows Server 2008. You also need the DVD key from the stickeron the jewel case, or some other legitimate license key.

� Windows Server 2008 Service Pack DVD-ROM or downloaded file:Don’t expect a service pack for Windows Server 2008 for at least three months after it’s officially released. Until then, you can skip the“Windows Server 2008 service packs” section later in this chapter. After that, it’s wise to let the OS update itself during the installationprocess.

� Network driver: Windows Server 2008 Setup should find the networkinterface(s) in the server, but keep a floppy or a USB flash drive with thenecessary drivers handy in case it doesn’t.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 77

� Small Computer System Interface (SCSI) drivers: Windows Server 2008Setup should recognize all SCSI devices if they’re listed in the WindowsServer Hardware Platform info at www.microsoft.com/whdc/system/platform/server/default.mspx. Again, keep the drivers handy justin case.

HardwareOf course, setting up Windows Server 2008 also requires some hardware, par-ticularly the following:

� Computer: Make sure that the computer complies with the HardwarePlatform criteria. Remember that you’ll need at least a 1 GHz CPU, butwe don’t think you’ll be satisfied with anything slower than 2 GHz. Youalso want to have a mouse attached to the computer — it just makes lifeeasier!

� RAM: The more memory that you can afford, the better. You must haveat least 512MB, but you’ll get better results with 2GB at the very least, ifnot 4GB (more for 64-bit installations).

� DVD-ROM drive: If you’re installing Windows Server 2008 from a DVD-ROM, you need a DVD-ROM drive. Newer computers can recognize it asa boot drive; if so, you can start Windows Server 2008 installation fromthe DVD.

� Hard disk: You must have at least 10GB of free space, but we think youshouldn’t even begin with less than 40GB of available disk storage space.Even better, 80GB is closer to ideal — unless you absolutely won’t bestoring large amounts of data for short-term or long-term periods. Forwhat it’s worth, you will seldom see drives smaller than 400GB on newservers these days.

� Modem: If the server connects to the Internet or provides access toremote users, a modem (either internal or external) can provide thisconnection. We prefer at least a cable or DSL modem, particularly wherea multiple user network server is involved.

� Video: You need a Video Graphics Array (VGA) or higher-resolutionvideo adapter and monitor. We recommend Super Video Graphics Array(SVGA) as a minimum.

� Cables: Depending on the components you install, you may needmodem/network cables, telephone cables, power cords, monitor cables,and so forth.

InformationYou must make several choices as you work through the setup process.You’re better off if you already have an idea of what you’re going to answerbefore you begin the installation. Consider the items in the following list:


10_180433 ch05.qxp 2/25/08 7:45 PM Page 78

� NTFS: NTFS is the Windows Server 2008 native file system and is muchmore secure than the File Allocation Table (FAT) file system. Unless youneed backward compatibility with older Microsoft operating systems onthe same machine in a multiboot configuration, there’s really no need touse FAT.

� Licensing: You need to know how you purchased your Windows Server2008 and client licenses because the Windows Server 2008 Setup pro-gram asks you whether you want per-seat or per-server licensing.

� Computer name: Each computer needs a unique name that you canidentify easily on the network.

� Workgroup/domain name: If this is the first domain controller installedin a network, you must create a domain name. If this computer joins acurrent domain where a domain controller already exists, plan to con-nect this computer to a network with access to that domain. If you’reinstalling Windows Server 2008 in a workgroup, you need the workgroupname. Remember it’s an either/or setting, but you can always changeyour mind later.

� Protocols: Determine which protocols the server uses (or will use) tocommunicate. If you plan to use the Transmission Control Protocol/Internet Protocol (TCP/IP), see Chapter 10 for details. Decide whetheryou must configure TCP/IP manually or automatically through a DynamicHost Configuration Protocol (DHCP) server. If this server connects to theInternet, it must have at least one valid public IP address (unless youhave a NAT server handling address translation between the server andthe Internet).

� Remote connectivity options: Determine whether the server connects(or will connect) to the Internet or will host a Web server. If so, you caninstall Internet Information Services (IIS) to provide Web services andRemote Access Services (RAS) for connectivity. RAS also enables yourusers or customers to dial into the network. You can always install RASand IIS later. In either case, you need a working Internet connection.

� Server roles: The game has changed for roles that servers can playwhen maintaining a domain. The function of your server may affect howyou install Windows Server 2008, but it’s no longer a life-threateningdecision because the server isn’t configured until after initial installationis complete.

Got Enough Horsepower?Before you install Windows Server 2008 (whether you’re upgrading or creatinga new installation), you must meet Microsoft’s minimum hardware require-ments. If your server doesn’t match these requirements, your installation canhalt midway and leave you stuck in the mud.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 79

Microsoft goes easy on its minimum requirements, so we provide more realis-tic numbers to meet real-world needs. If you follow Microsoft’s lead, expect adoo-dah server that lacks the zip-a-dee part. Table 5-2 shows a comparisonbetween Microsoft’s numbers and our real-world numbers.

Table 5-2 Minimum Requirements: Microsoft versus For DummiesItem Microsoft Says Real World Says

Processor 1 GHz 2 GHz or better

RAM 512MB 4GB or better

Monitor VGA SVGA or better

NIC None* One (at least 32 bit)

DVD-ROM DVD-ROM DVD-ROM (12X or better) or DVD

Hard disk 40GB+ 120GB or better*Note: A network interface of some kind (wired or wireless) is required for direct network access.If a network interface isn’t present at the time of installation, you can install it later.

You can squeak by with Microsoft’s minimum requirements, but many of yourserver’s capabilities will end up terribly slow or intractable. For example,even though Windows Server 2008 supports low-resolution monitors, youshould use a higher-resolution monitor (SVGA or better) because of theWindows Server 2008 graphical user interface (GUI) — except for the case ofServer Core installation. In many cases, more (disk space, RAM, processorpower, and so on) is better. Buy as much as your budget allows so you don’tneed to upgrade too soon.

Take a trip to Microsoft’s Web site, particularly the Windows Server 2008pages at www.microsoft.com/windowsserver2008/default.mspx.There you can find white papers and Frequently Asked Questions (FAQs) thatanswer common questions to many issues, such as licensing, minimumrequirements, and upgrades. If you don’t find enough answers there, head towww.windowsitpro.com/windowsnt20002003faq for a searchableWindows FAQ site — it includes Windows Server 2008 information.

Another important item to check is whether your server (or its components)appears in Microsoft’s Windows Server Hardware Platform or related criteria.Microsoft’s test lab tests innumerable products for compatibility with WindowsServer 2008. Obtaining Microsoft lab certification means an organization


10_180433 ch05.qxp 2/25/08 7:45 PM Page 80

can display Microsoft’s logo on its products. Also, Microsoft puts listings forcertified products in a hardware catalog it maintains for Windows Server2008–compatible items.

Selecting a network server from those listed in the catalog helps ensure thesmoothest installation because you know Microsoft has already tested andcertified that product. Certifying products for the catalog is an ongoing taskat Microsoft, and the company maintains an updated catalog for all of its cur-rent server operating system releases on its Web site at www.microsoft.com/whdc/system/platform/server/default.mspx.

If you’re unsure about the compatibility of an entire system or a specific component, look it up in the catalog or employ the automatic system com-patibility checker on the DVD. Just insert the DVD into a system with an existing Windows OS. (If the Welcome screen doesn’t appear automatically,run setup.exe from the root of the DVD.) Choose the Check SystemCompatibility option and then choose the Check My System Automaticallyoption. The test wizard loads and prompts you to download updated files. Ifyou have Internet access, this tool can always update itself with the latestand greatest catalog before scanning your system. If any problems or incom-patibilities are found, a list of problems is displayed.


Windows Server 2008 utilities aplentyNo single operating system can do everything.Programmers, and others adept at computing,typically develop small scripts or programs toperform functions that the basic operatingsystem doesn’t include. Utilities for WindowsServer 2008 abound because of its popularity.You can find many of these utilities, especiallyinstallation tools, on the Internet at popularWindows Server 2008 and NT Web sites, suchas http://windowsnt.about.com orwww.bhs.com.

In some cases, the same tool used on Windows9x, NT, or 2000 also works on Windows Server2008. However, this isn’t always the case. You

should test applications on Windows Server2008 before you use them in situations wheredata loss is possible.

Microsoft sells a Windows Server 2008Resource Kit that you can purchase on theInternet or at a bookstore. The packageincludes utilities for installation, file manage-ment, troubleshooting, and planning. As wewrite this book, the full-blown Resource Kit isn’tyet on the radar, but several subtitles are,including Windows Server Resource Kits forActive Directory, Security, and IIS 7.0. (Go towww.microsoft.com/mspress/hop/for details.)

10_180433 ch05.qxp 2/25/08 7:45 PM Page 81

Step by Step: Installing Windows Server 2008

In this section, we walk you through the whole Windows Server 2008 installa-tion screen by screen. There’s not enough space in this book to presentscreens for every possible type of installation, so in this section, we provideinstructions for the most common type: from a bootable DVD-ROM drive.

Server: Are you ready?The first major task in getting the software onto a system is to make theserver ready for the process. Generally, these are the issues you must resolvebefore traveling into the Windows Server 2008 installation process:

1. Ensure that all hardware is HCL compatible.

Although it’s possible to install Windows Server 2008 on a system withsome components not on the HCL, it’s not always easy. In short, if it isn’tHCL compatible, you don’t want to keep it in your system.

2. Install the network interface in the server (unless integrated).

Fortunately, Windows Server 2008 supports plug and play, so you canmake most card changes on the fly — unless you have a card so old itstill uses dual in-line package (DIP) switches or jumpers. Hopefully thisisn’t the case — even we aren’t sure if those are still supported.

3. If you need an internal modem and want to connect the server toexternal sources such as the Internet, install the modem.

Windows Server 2008 Setup: A walk-throughThe following steps detail the Windows Server 2008 installation process froma bootable DVD-ROM drive. Throughout this installation, we accept thedefault options.

Your system must be configured to boot from the DVD. This is accomplishedby editing the CMOS. Consult your motherboard documentation on how toenter, edit, and save the CMOS settings.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 82

Ready, set, here are the steps:

1. Insert the Windows Server 2008 DVD-ROM into the DVD-ROM driveand boot the computer. If prompted to press a key to boot from theDVD, do so.

A gray GUI screen with an Install Now button appears. In addition, theWindows Setup Wizard starts automatically. You may optionally click theWhat to Know before Installing Windows link for further information onthe installation process.

Three other options also appear: Language Options, Time & CurrencyFormat, and Keyboard Input Methods.

2. Click Install Now.

The Install Windows screen appears with an option to get the latestupdates prior to installation. This is a nice new feature you’ll appreciatein time, if not instantly. If you elect to update the computer now, whichwe strongly recommend, your setup proceeds to search for installationupdates. Our instructions from here on out follow that assumption.

Optionally, you may elect to make the installation process better for sub-sequent users by selecting a check box that informs Microsoft of theinstallation process as it proceeds through your setup. Click the WhatInformation Will Be Sent to Microsoft? link, which gives you the fullscope of information collected and reported about your experience withthe Windows Server 2008 installation wizard.

Be careful when working through the GUI wizard. Often, after you clickthe Next button to continue, the system takes several seconds (some-times up to a minute) to change the display. Do not try to click the Nextbutton again — even if you think you missed the button by accident. Ifyou click the Next button twice, you skip screens, and the Back buttondoesn’t always work; in some places, the Back button is grayed out ornon-existent. If you wait two to five minutes and the system doesn’tchange the display, it’s probably safe to click Next again.

3. Click the Go Online to Get the Latest Updates button to proceed to thenext screen.

The installation wizard searches online for updates, which requires anactive Internet connection throughout the installation process.

You can’t choose a course of action until the next screen appears, whichpermits you to choose the version of Windows Server 2008 that matchesyour valid key. Trust us, the folks at Redmond are smart enough to writecode to differentiate between the various full-install and upgrade keys,so you’ll only be fooling yourself by trying to “upgrade” here.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 83

4. Select the appropriate edition and click Next.

5. Type your product key for activation.

You may also choose to activate Windows when you’re online.

6. Read or scroll through the license terms agreement and then selectthe I Accept the License Terms check box to enable the Next button —then click Next.

The installation options dialog box appears; choose between an upgradeor custom install. The distinction lies in both the license key and theprocess: One can only update an existing installation, and the other hasboth options available.

Sometimes an information box appears below, stating Upgrade Has BeenDisabled, followed by an explanation. Here, we choose Custom becauseyou need a full-install key on new hardware. Click the appropriate buttonto proceed.

You can usually find the Product Key on a sticker on the DVD case.

7. Choose how to install Windows when presented with multiple-choiceanswers; otherwise, the choice is clear. Click Next.

Two choices, Upgrade and Custom, appear in this dialog box. However,the type of license you have (upgrade or full-install) determines whichoptions are available.

8. Choose the drive where you want to install Windows Server 2008.

In a single-drive build, you shouldn’t have any questions about this; oth-erwise, you should know in advance which volume you designated forWindows Server 2008 installation.

9. Use the arrow keys to select a partition hosted by a physical harddrive and then click Next.

You may also click Refresh to update this list, or Load Driver to add anysupportive files you need for the installation process.

After you click Next, the Install Windows dialog box appears with nooptions for you to select.

Setup begins processing Windows Server 2008 installation, and thisdialog box indicates every step (from copying and expanding files toinstalling updates and completion) along the way.

Setup spends a considerable amount of time formatting the drive, espe-cially for large partitions. After formatting is complete, Setup inspectsyour hard drives, builds a file list, and then copies lots and lots of filesfrom the DVD to the newly formatted drive. This is a great time tostretch, change your oil, get coffee, or learn how to cross-stitch.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 84

Setup copies and expands files, installs features and updates, and thencompletes installation by asking for all site-specific information at thevery end — instead of throughout the entire process, as with previousWindows installations.

10. When you see a message that says the system will be rebooted, youcan press Enter to reboot immediately or wait 15 seconds for an auto-matic reboot.

Be sure there are no floppies in the drive. Also, don’t press a key to bootto the DVD. If your DVD boots automatically instead of requiring a keypress to initiate a DVD boot, eject the DVD before the reboot.

After the reboot, Windows Server 2008 Setup reenters the GUI mode.Setup scans your computer for devices and installs drivers appropriately.

When the system comes back up, you’re presented with the InitialConfiguration Tasks dialog box, which is where you fill in all the specificserver details. We describe only the first three basic options.

11. Click Set the Administrator Password and choose a strong password.

If you’re using the server for personal use, you can leave the passwordblank, but even then, we don’t advise it.

12. Click Set the Timezone so that crucial timestamps are marked appropriately.

13. Click Configure Networking and specify the default values.

14. Click Close.

Setup delivers you to a screen that reads Press CTRL + ALT +DELETE to login.

15. Press Ctrl+Alt+Del to display the Log On to Windows dialog box.

16. Type your password for the Administrator account and then pressEnter to log on.

After several moments, the Windows Server 2008 desktop appears — asure sign that you’ve successfully installed Windows Server 2008! (Justto keep you on your toes, Windows Server 2008 automatically launchesthe Server Manager Wizard in preparation for your next set of tasks.Jump to Chapter 6 to find out more about this wizard.)

Installing from an Existing OSIf your computer already has an operating system with access to the DVD-ROMdrive — such as DOS, Windows 3.x, Windows for Workgroups, Windows 9x,


10_180433 ch05.qxp 2/25/08 7:45 PM Page 85

Windows NT, Windows 2000/2003, or Windows XP — you can launch theWindows Server 2008 setup from that OS. This is the only way to accomplishan upgrade install. If you launch an install from a bootable DVD, a full installis performed automatically.

Although you can begin the Windows Server 2008 installation from previouseditions of Windows, you can’t upgrade to Windows Server 2008 from manyof these former operating systems. Regardless of the existing OS, you mustmeet the minimum hardware requirements to install Windows Server 2008(refer to Table 5-2), which wouldn’t ordinarily be found on a system runningmany such previous editions of Windows.

To install from the DVD-ROM drive, issue one of the following from a com-mand prompt or a Run dialog box:

� If you’re using a 16-bit operating system, such as DOS, Windows 3.1, orWindows for Workgroups, you need to use this command, replacingdrive letter with the letter assigned to your DVD drive:

<DVD-ROM drive letter>:\i386\winnt

� If you’re using a 32-bit operating system, such as Windows 9x, WindowsNT, Windows 2000, or Windows XP, and you don’t have autorun enabled,you need to use this command, replacing drive letter with the letterassigned to your DVD drive:

<DVD-ROM drive letter>:\i386\winnt32

If you try to run the wrong setup program, the tool will tell you — just run theother program.

If autorun is enabled, you see the Welcome to Windows Setup Wizard screen.

Manually launching Setup from DOS, Windows 3.x, or Windows forWorkgroups requires you to do the following after the DOS, text-only displayappears, asking for confirmation of the location of the distribution files:

1. Make sure that the screen shows the correct path to the i386 directoryon the distribution DVD-ROM and then press Enter.

Setup copies files from the DVD to your hard drive.

2. After Setup informs you that all files have been copied, press Enter toreboot and continue.

After the machine reboots, the setup resumes at Step 9 of the “WindowsServer 2008 Setup: A walk-through” section earlier in this chapter.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 86

If you insert the Windows Server 2008 DVD into a DVD-ROM drive under anoperating system with autorun enabled (for example, Windows NT), theWindows Server 2008 splash screen appears and asks whether you want toupgrade to Windows Server 2008. By clicking Yes, you don’t need to manuallylocate and execute WINNT or WINNT32.

Launching Setup from an eligible Windows platform requires you to followthese steps:

1. On the Install Windows Setup Wizard screen, click Next.

2. Choose whether to get important updates now or later, locate the cor-responding option, and then click it.

Windows Setup will begin looking for updates if you so choose, whichrequires an Internet connection.

3. Enter your product key and then click Next.

Alternatively, you can choose from a drop-down list of choices and omitthe license key altogether at this stage, but they must match up for acti-vation purposes.

4. Accept the license agreement terms and click the Next button.

5. Choose between Upgrade or Custom installation options and click thecorresponding text button.

6. To install Windows Server 2008 to a partition other than the one cur-rently hosting an operating system (highly recommended), be sure to choose the appropriate partition from the menu displayed in thisdialog box.

7. Click Next to continue.

Setup copies files from the DVD to your hard drive. Setup then offers a10-second interval during which you can manually restart before auto-matically rebooting your computer.

After the machine reboots, the setup resumes at Step 9 of the “Windows2003 Setup: A walk-through” section earlier in this chapter.

Installing across a NetworkInstalling Windows Server 2008 across a network is almost the same as per-forming the installation from a local DVD-ROM. Both methods require accessto the distribution files from the DVD (duh!), and you have to manuallylaunch the Windows setup tools.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 87

Manually launching setup over a network requires little change to the processdescribed in the preceding section. However, you need to map a local driveletter to the network share. (This mapped letter tells Setup where the distrib-ution files live.) Setup automatically copies all of the data files it needs beforerebooting.

Installing RemotelyMicrosoft has created an installation process called the Remote InstallationService (RIS). RIS enables network administrators to push a Windows Server2008 installation out to network systems. Although this process simplifiesmultiple installations overall, it isn’t a simple activity. It requires the installa-tion and configuration of several key services, namely Domain Name Service(DNS), DHCP, and Active Directory, in addition to RIS.

The clients that will have the Windows Server 2008 installation pushed tothem must have a Preboot Extension Environment (PXE)–compliant NIC or be booted with a special network client boot disk.

If you want to explore the remote OS installation procedure further, we highlyrecommend that you check out the RIS documentation in the operatingsystem, TechNet, and the Windows Server 2008 Resource Kit.

Working through Post-Installation Stress Disorder

After you finish the basic installation, you’ve simply defined a basic server.You need to dress it up with things such as users, groups, domain controllers,Active Directory, applications, services, and printers, as we describe inChapters 7 through 14. But, before you get excited and flip to those chapters,we want to mention three more issues: the activation process, service packs,and Automated System Recovery.

Understanding ActivationIn an effort to curb pirating of software, Microsoft has implemented an instal-lation control feature (first debuted in Windows XP) called activation. Afterthe initial installation of a product, such as Windows Server 2008, Microsoftgrants you a 30-day period within which you must contact Microsoft and acti-vate that product. If you fail to activate the product, on day 31, the product


10_180433 ch05.qxp 2/25/08 7:45 PM Page 88

ceases to function. In fact, the only activity you can perform from that pointforward is activation. After a product has been activated, it functions normally.

The activation process requires your system to generate a 50-digit code. This code is unique to your system and is used to associate your product keywith your computer hardware. If any other computer attempts to activate thesame product key on a different computer, Microsoft will think you’ve piratedtheir software or at least attempted to install it on another system withoutpurchasing another package. The gotcha to activation is this computer ID,which is generated by pulling unique IDs from ten different parts of your com-puter, including your motherboard, CPU, and hard drives.

If you change six or more of these parts, the system thinks you’ve changedcomputers, and your activated status will be terminated. You have to contactMicrosoft and explain that you’ve only upgraded your existing system andthat you’re not just installing the product onto a completely new secondsystem. Can we say major headaches ahead?

Activation can occur over the Internet, in which case it takes only a few sec-onds. Activation can occur also over a phone line, whereby you must read offthe 50-digit computer ID to the auto-attendant or a customer service repre-sentative, and then you must enter an equally long confirmation key yourself.

To activate your system, you can click the reminder pop-up bubble that appearsover your notification area (previously known as the icon tray or system tray),which is right beside the clock. Until you activate, the operating system remindsyou every day, or every time you log on, about activating. You can initiate theactivation process also by launching the Activation Wizard found in the Startmenu. It appears in the top-level menu initially; after you activate, it appearsonly in the All Programs➪Accessories➪System Tools section.

Dealing with service packsA service pack is a release of updates and patches for a software product.Microsoft is famous for releasing service packs to repair its software. Thisindicates to some cynics that Microsoft is concerned enough about its usercommunity to maintain a product, but not concerned enough to get it rightthe first time. Be that as it may, the first service pack for Windows Server2008 will probably be released three to nine months after Windows Server2008 makes its debut in February 2008.

Microsoft has integrated two capabilities into Windows Server 2008 to easethe burden of maintaining an up-to-date version:

� You can configure the Windows Update tool to regularly check for newupdates and prompt you to download and install them.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 89

� You can slipstream service packs into distribution files so that an initialsetup results in automagic application of the service pack. In otherwords, you can apply service packs to a distribution point so that newsystems automatically get installations that include that service pack.After service packs are available for Windows Server 2008, read theaccompanying documentation to learn how to slipstream them.

Windows Server 2008 service packs don’t entangle you in the Catch-22 ofinstalling files from the original distribution DVD after a service pack is applied.In other words, adding new services doesn’t require reapplication of servicepacks, and application of service packs doesn’t require reinstallation of ser-vices from the distribution DVD. What a relief!

Microsoft advertises releases of its service packs, making it easier for the typical user to locate, download, and apply these jewels. You’ll usually find alink on the product-specific Web page at www.microsoft.com/windowsserver2008/default.mspx.

Using Automated System RecoveryAutomated System Recovery (ASR) is partially designed to replace the func-tion of the previous ERD repair process (remember that from Windows NT?).You can use ASR to restore a system to its stored configuration settings in the wake of a complete system failure. The only drawback to ASR is that itrestores files found on only the system partition. Therefore, if you have appli-cations or user data files on other partitions, ASR doesn’t offer a safety netfor these items.

To use the ASR restore process, you must first create an ASR backup set. Youcan create an ASR backup set from the Welcome tab of the Backup utility(Start➪All Programs➪Accessories➪System Tools➪Windows Server Backup).The ASR backup set consists of a single floppy and one or more backup tapes(depending on the amount of data stored on your system partition). Torestore a failed system, you must boot to the original setup program eitherfrom a bootable DVD or the setup boot floppies, and then press F2 whenprompted to initiate the ASR repair process. You’ll then be prompted for thefloppy and your backup tapes.

If you want to protect all your data, you have two options. You can use thefull backup capabilities (which include the System State) of the native Backuputility. Or you can spend the money for a quality third-party backup solutionthat offers restoration from tape after simply booting from a floppy instead ofrequiring that the entire operating system be reinstalled before a restorationcan be performed.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 90

Oops, My Installation Didn’t TakeIn most cases, as long as your hardware is on the HCL, installation will be abreeze. (Well, how about a long, continuous gust?) For those other cases,here are some common problems and solutions:

� DVD-ROM problems: The entire Windows Server 2008 installation shipson a single DVD-ROM (unlike previous market releases that appear onCDs), so if you can’t read the DVD, you can’t install Windows Server 2008(unless you’re installing over a network, but even then, the distributionfiles have to come from a DVD at some point). DVD-ROMs are similar tomusic records or DVDs in that one little scratch or speck of dust on thesurface can cause problems. On the other hand, the DVD may be okay,but the drive may not function correctly — or Windows Server 2008 maynot recognize the drive. We hope that your drive appears on the HCL. Todetermine whether the drive or the DVD isn’t functioning, take the DVDto another DVD-ROM drive and see whether you can read it there. Afteryou determine which element is the culprit, you can replace it and retryyour installation.

� Hardware problems: If Windows Server 2008 setup doesn’t recognize aserver’s hardware, it’s likely to stop. Make sure that the machine’s hard-ware appears in the HCL and that you configured all devices correctly. Ifyou have more than one SCSI device, for example, make sure that they’rechained (connected) correctly.

� Blue screen of death: Sometimes, Setup simply crashes and gives you ablue screen; other times, it gives you a display of error codes that only apropeller head can understand. By itself, the blue screen simply meansthat you must reboot. If you get a fancy stop screen, however, you canlook at the first few lines to determine the error code and then use it tolook up the error message in the error-message manual. A stop typicallyoccurs if a driver problem occurs; if you look beyond the first few linesof the error-message screen, it tells you which drivers were loaded atthe time the crash occurred. A good idea is to write the first few lines ofthe stop screen down before attempting to reboot.

� Connectivity problems: Installing a machine into an existing domainrequires that the new system be capable of communicating with adomain controller to create a domain computer account. If communica-tion isn’t possible for any reason (such as a wrong network interface, awrong driver, a bad or missing cable, a domain controller offline, or toomuch network traffic), you can’t join the domain. In some cases, you canresolve the problem by quickly replacing a cable or allowing the systemto try the connection a second or third time. In other cases, you candelay confronting the problem by joining a workgroup instead. Then you


10_180433 ch05.qxp 2/25/08 7:45 PM Page 91

can resolve any problems (such as network interface, driver, and config-uration problems) with a functioning system.

� Dependency problems: Some services in Windows Server 2008 dependon other services loading correctly. If service A doesn’t load, service Bdoesn’t work, and you get error messages if service B is set to automati-cally start at bootup. For example, if a network interface isn’t installed cor-rectly, all services that use that network interface also fail to start. Yourfirst order of business, therefore, is to get the network interface to func-tion correctly. If you get this far in the installation process, you can viewthe error logs (Start➪All Programs➪Administrative Tools➪Event Viewer)to see which service didn’t start and then work your way from there.

� Script file errors: The Windows Server 2008 automated installation pro-gram (see the next section) isn’t forgiving if you mistype a script. If ascript stops midway and the Windows Server 2008 setup program asksyou for manual input, you entered something incorrectly. Check theinput file to look for transposed letters or anything else that may be outof place. Scripts expect to feed the computer exactly what you put in thescript file. If you don’t enter the right information, Setup doesn’t receivethe information it expects.

Exploring Automated InstallationAn unattended installation feature enables you to install Windows Server2008 without keyboard interaction. Just start the process and walk away.Unattended installation uses a script file that pipes in information and key-board strokes from a data file that you compose in advance. If you alreadyknow all the answers to the questions that the installation program asks, youcan answer these questions and place them in a data file. You can use morethan one data file for different types of installations.

Unattended installation is great for organizations that install Windows Server2008 over and over on machines with the same hardware configurations.Large enterprise networks that include remote offices can also take advantageof unattended installation because home office administrators can customizescript files and transmit them to remote offices. The caveat here is that youmust test the script files for accuracy thoroughly in the central office; other-wise, the folks in the remote office may soon be screaming for help!

Details on creating automation scripts are included in the Windows Server2008 Resource Kit. You can also find information on this subject in theWindows Server 2008 Technical Library at technet2.microsoft.com/windowsserver2008/en/library/.


10_180433 ch05.qxp 2/25/08 7:45 PM Page 92

Chapter 6

Configuring Connections to the Universe

In This Chapter� Introducing the Server Management console

� Configuring your server

� Configuring domain controllers

� Understanding server roles

� Using remote access

Even after you complete the installation of Windows Server 2008, you stillface numerous decisions and related activities before you can safely say,

“Mission accomplished!” What role does this server play on your network?Does it host multiple network interfaces? Do you need remote access? In thischapter, you seek answers to all these questions and follow the steps toimplement them properly.

Before you get too excited, we must warn you that certain topics covered inthis chapter are just flat-out complex. We try to give a general overview of eachtopic, but in some cases, covering all the relevant details goes beyond thescope of this book. When that happens, we refer you to other resources andmaterials where you can find meaningful, reliable, and more detailed coverageof these topics, to supplement and complete what we provide you with here.

In this chapter, you go through the steps necessary to get your WindowsServer 2008 installation up and running.

11_180433 ch06.qxp 2/25/08 7:46 PM Page 93

Completing the Initial Configuration Tasks

Starting at square one, the first time you log on to Windows Server 2008 aftercompleting the initial installation, you’re confronted with an Initial ConfigurationTasks (ICT) dialog box, shown in Figure 6-1. This wizard appears by defaultthe first time you log in, and every subsequent time, unless you select the DoNot Show this Window at Logon check box.

ICT assists administrators with Windows Server 2008 deployments by post-poning platform settings previously encountered during the installationprocess to shorten the installation time. ICT does this by allowing administra-tors to specify relevant values at the end of the installation process, therebybypassing lots of dialog boxes and related interruptions along the way.

Windows Server 2008 also brings a concept called componentization to thetable, which is defined as breaking a complete system into interchangeableparts to create a standardized approach to assembly, interface, or operation.For Windows Server 2008, this translates into the ability to reuse componentsoutside their usual frameworks. A simple analogy is the relationship betweenelectronic components and electronic devices. A device is made of compo-nents, but it can also do things that individual components normally can’t.

Figure 6-1:The InitialConfigur-

ation Tasksdialog box.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 94

The Initial Configuration Tasks dialog box allows administrators to configurea server with the following parameters:

� Administrator password: Set the administrator password (left blank bydefault).

� Computer name: The computer name is randomly generated and assignedduring installation, but you get your first chance to change it here.

� Time zone: Configure the local time zone.

� Configure networking: Establish initial network interface settings.

� Domain membership: There is no default domain to join; however, thecomputer is automatically assigned to a workgroup, appropriatelynamed WORKGROUP.

� Enable Windows Update and feedback: Choose whether to automati-cally update Windows and issue problem reports or receive feedback.

� Add roles: A server role describes the primary function of a server,which can be one or several roles (each with one or more separate ser-vices) on a single computer.

� Add features: A feature provides supportive functionality to servers,which typically means augmenting a configured server role with addi-tional capabilities.

� Enable Remote Desktop: Remote desktop assistance is provided by anunderlying Remote Desktop Protocol (RDP), which enables user comput-ers to communicate with Microsoft Terminal Services.

� Configure Windows Firewall: The Windows Firewall is enabled by default,but you might want to spend some time familiarizing yourself with its fea-tures and capabilities, or configure it with site-specific settings.

These pre-deployment options are left for the end of installation to improveefficiency. Administrators can set these as soon as the install completes,which shortens time-to-launch for a fresh server installation. When you closethe ICT dialog box, another configuration utility pops up: the Windows ServerManager, which we describe next.

Server Manager ConfigurationWindows Server 2008 includes an all-new Server Manager application in GUIand command-line form that simultaneously replaces and consolidates theWindows Server 2003 interfaces called Manage Your Server, Configure YourServer, and Add or Remove Windows Components. Server Manager eliminatesany need to run the Security Configuration Wizard prior to deployment becauseserver roles come pre-configured with recommended security settings. Each

95Chapter 6: Configuring Connections to the Universe

11_180433 ch06.qxp 2/25/08 7:46 PM Page 95

separate application is consolidated into one utility for a better combinationof features and functionality in a single centralized applet, which provides aholistic view of server configuration and related server components. Thisnew management platform enables you to install, configure, and manageserver roles specific to Windows Server 2008, including some capabilitiesthat even work on Windows Server 2003 machines.

Getting to know the Server Manager consoleYou can use the expanded Server Manager MMC (Microsoft ManagementConsole) to configure various applications, features, and roles on your WindowsServer 2008 PC. A role describes a server’s primary function; administratorsmay designate or dedicate an entire computer to one or more roles that caninclude DHCP and DNS services, among many others. A feature describessome supporting function in a server; for example: failover clustering indi-cates that multiple server computers function as a single logical server, and ifone computer fails, another stands ready to take its place automatically.

The Windows Server Manager console provides a consolidated view thatincludes: server information, configured roles, services, and feature status. Itputs all the easily accessible management tools together under one interface.Server Manager improves productivity so that you spend less time on deploy-ment, management, and maintenance phases and more time adding and usingnew features in your network infrastructure.

Here are a few key highlights to the new Server Manager platform:

� Server Manager functionality incorporates snap-in extensions fromComputer Manager (Reliability and Performance, and Windows Firewall)that are always available regardless of which roles are installed.

� Server Manager displays notifications linked to descriptive help topicsatop role management homepages when constraints in the role modelare violated. Help topics may include additional content, solutions, ortools to help resolve some particular issue.

� The Server Manager Add Roles Wizard provides configuration pages formany roles, including AD Federation Services (AD-FS), Network Policyand Access Services, Fax Server, AD Rights Management (AD-RM), FileServices, and many others, as shown in Figure 6-2. See Table 6-1 for moreinformation on Server Roles.

� The Server Manager Add Features Wizard supports installation ofBitLocker Drive Encryption, Group Policy Management, Remote ServerAdministration Tools, and a variety of supplementary or supportive net-work and storage features. See Table 6-2 for more details about ServerFeatures.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 96

� Server Manager provides Remote Server Administration Tools (RSAT)that enable remote management for specific roles, role-based services,and features on computers running Windows Server 2008 and WindowsServer 2003.

� Server Manager supports automated deployment and scripting optionsfor Windows Server 2008 roles from a command-line tool that can installor remove multiple roles, role services, or server features.

Table 6-1 Windows Server 2008 Server RolesRole Name Description

Active Directory Certificate AD-CS provides customizable services to create Services (AD-CS) and manage public key certificates used in public

cryptographic systems. Organizations mayenhance their security posture by binding useridentities, devices, or services to correspondingprivate keys. AD-CS also includes features forenrollment and revocation of certificates.

Active Directory Domain AD-DS stores user, computer, and other net-Services (AD-DS) worked device information to help administrators

securely manage and facilitate resource sharingor collaboration between users. AD-DS is alsorequired for directory-enabled services such asMicrosoft Exchange Server or Group Policy.

(continued)

Figure 6-2:The server

roles thatcan be

installedthrough the

ServerManager

Wizard.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 97

Table 6-1 (continued)Role Name Description

Active Directory Lightweight AD-LDS is a directory for storing application data Services (AD-LDS) that runs as a non-operating system service,

which doesn’t require deployment on a DC andpermits multiple simultaneous instances to beconfigured independently to service multipleapplications.

Active Directory Rights AD-RMS is information protection technology Management Services that works with compatible applications to safe-(AD-RMS) guard against unauthorized use of digital media.

Content owners define how such data may beused, and organizations may create custom tem-plates that apply directly to financial reports,product specifications, and other such materials.

Application Server (AS) AS provides a turnkey solution for hosting andmanaging high-performance distributed businessapplications with integrated services such as.NET, COM+, and others.

Dynamic Host Configuration DHCP allows temporary or permanent dynamic Protocol (DHCP) (and static) address assignments to computers

and other network-addressable devices andgives administrators more flexible control overaddress assignments, duration, and type.

File Services File Services provides storage management, filereplication, a distributed namespace, and fastfile-searching technologies for efficient clientaccess to server resources.

Network Policy and Access NPAS delivers an array of options to local and Services (NPAS) remote users, works across network segments,

centralizes management tasks and enforces net-work health properties among client callers.NPAS facilitates VPN, dial-up server, router, and802.11 protected access deployment, and othersuch capabilities.

Print Services (PS) PS provides printer and print server manage-ment, which reduces administrative overhead bycentralizing printer management tasks.

Terminal Services (TS) TS enables users to access server-basedWindows applications and desktops so thatremote users can connect and utilize remoteresources.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 98

Role Name Description

Universal Description, UDDI services enable information sharing via Discovery, and Integration intranet-based Web services or between busi-(UDDI) ness partners that share an extranet or Internet

connection. UDDI can help improve developerproductivity and promote reuse of existing devel-opment work.

Web Server (IIS) IIS 7.0, the Windows Web server, enables infor-mation sharing on intranets or over the Internetas a unified Web platform that integrates severalkey Microsoft components.

Windows Deployment WDS is used to remotely install and configure Services (WDS) Windows installations using the Preboot

Execution Environment (PXE).

Windows SharePoint WSP services allow end-user collaboration Services (WSP) through documents, tasks, and events, enabling

them to easily share contacts and other neces-sary information. WSP is designed to supportflexible deployment, administration, and customapplication development.

You can find more in-depth information about each of the server roles weintroduce in Table 6-1 on Microsoft’s Windows Server 2008 TechCenter pagelocated at http://technet.microsoft.com/en-us/windowsserver/2008/default.aspx.

Table 6-2 Windows Server 2008 Server Manager Server FeaturesFeature Name Description

.NET Framework 3.0 This latest version combines .NET 2.0 APIs withnewer technologies for building user interfaceapplications that help protect customer identities,enable seamless and security-enhanced com-munication, and model an array of business procedures.

BitLocker Drive Encryption This new feature protects data-at-rest (storedinformation), whether the data is lost or stolen orinadvertently stored on decommissioned comput-ers. Integrity is maintained through the TrustedPlatform Module (TPM).

(continued)


11_180433 ch06.qxp 2/25/08 7:46 PM Page 99

Table 6-2 (continued)Feature Name Description

Background Intelligent BITS server extensions enable receipt of client Transfer Service (BITS) file uploads that can be transferred in the fore-

ground or background, asynchronously. It keepsother network applications more responsive andpermits resumption of failed transfers.

Connection Manager CMAK builds connection manager service pro-Administration Kit (CMAK) files suitable for reducing the cost of providing

remote access to all network service providers,whether you’re part of a corporation or anInternet Service Provider (ISP).

Desktop Experience The Desktop Experience includes portions ofWindows Vista (Media Player, themes, and photomanagement) that aren’t enabled by default.

Internet Printing Client (IPC) IPC supports HTTP connectivity to Web-accessibleprinters to users in the same domain or on thesame network, including roaming employees onmobile platforms.

Internet Storage Name ISNS provides service discovery for Internet Server (ISNS) SCSI (iSCSI) storage area networks by process-

ing registration/de-registration requests andqueries from clients.

LPR Port Monitor (LPM) LPR Port Monitor allows UNIX-based client com-puters to print on Windows computers withattached print devices.

Message Queuing (MQ) MQ provides guaranteed message delivery, deliv-ery prioritization, and efficient routing betweenapplications running on different operating sys-tems, using dissimilar network infrastructures,that may even be temporarily offline or scheduledto operate at different times.

Multipath I/O (MPIO) MPIO combined with any Device SpecificModule (DSM) provides multiple data path sup-port to Microsoft-based storage devices.

Peer Name Resolution PNRP enables applications to register and Protocol (PNRP) resolve names from individual computers sharing

a common connection.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 100

Feature Name Description

Quality Windows Audio/Video qWave is an enhanced streaming A/V platform Experience (qWave) that improves performance and reliability in IP-

based networks. It ensures Quality of Service(QoS) and provides admission controls, run-timemonitoring, and application feedback.

Recovery Disc (RD) RD is a Windows utility that creates an OS instal-lation disc, which you may use to recover data ona corrupted installation without the originalinstallation medium, or where standard recoverytools are inaccessible.

Remote Assistance (RA) RA enables support personnel to assist in prob-lem resolution on remote client computers usingthe network or Internet. You can view, share, andcontrol the end user’s desktop, troubleshootproblems, and apply solutions.

Remote Server Administration RSAT provides remote management capability Tools (RSAT) for Windows Server 2003/2008 computers, which

includes the ability to run some managementtools, role services, and server features on theremote server.

Removable Storage RSM catalogs and manages removable media Manager (RSM) and operates automation for such devices.

Network File System NFS services provide a distributed file system (NFS) Services protocol for network-driven access to server

storage volumes, which are mounted remotelylike local resources.

Simple Mail Transfer SMTP server provides a basic foundation for Protocol (SMTP) e-mail messaging between client and server

systems.

Telnet Client The Telnet protocol permits clients to connect toremote computers running the Telnet server, pro-viding remote control over server applicationsand resources.

Telnet Server The Telnet Server aspect of the Telnet protocolpermits different platform Telnet clients to con-nect and utilize remote server resources.

Trivial File Transfer TFTP is a very basic file transfer protocol used Protocol (TFTP) between embedded devices and systems to

obtain and update firmware, configuration set-tings, and other information.

(continued)


11_180433 ch06.qxp 2/25/08 7:46 PM Page 101

Table 6-2 (continued)Feature Name Description

Failover Clustering (FC) FC enables several individual servers to workcohesively as one to provide high-availabilityapplications and services, often as file and printor database services.

Network Load Balancing (NLB) NLB distributes a workload among many otherservers, which ensures scalable stateless TCP/IPapplications under increased loads.

Windows Server Backup (WSB) WSB permits backup and recovery for Windowsplatform files and other supportive applicationsand data.

Windows System Resource WSRM is an administrative tool that controls CPU Manager (WSRM) and memory resource allocation for improved

system performance and reduced runtime risk toapplications, processes, and services that mightotherwise interfere with or hinder performance.

Windows Internet Naming WINS is a distributed database used to register Service (WINS) and query dynamic IP-to-name mappings for

NetBIOS computers and workgroups on Windowsnetworks, and it alleviates issues with NetBIOSname resolutions in routed environments.

Wireless LAN (WLAN) Service WLAN service configures and starts the WLANAutoConfig service, even when the host com-puter has no wireless network interface.

Windows Internal WID is a relational data storehouse used only Database (WID) by Windows roles and features like UDDI or AD-

Rights Management services.

Windows PowerShell PowerShell is a command-line shell and scriptinglanguage used to achieve greater administrativecontrol, a more powerful scripting language, andscripted automation.

Windows Process Activation WPAS removes IIS dependency on HTTP, making Service (WPAS) it accessible to applications hosting non-HTTP

protocols such as WCF services. WPAS alsomanages application pools, worker processes,and message-based activation via HTTP andnon-HTTP requests.

Whether you’re an IT administrator, planner, or technology evaluator formedium or enterprise-level network design, or an early adopter or architect


11_180433 ch06.qxp 2/25/08 7:46 PM Page 102

and engineer responsible for daily management, you’ll appreciate whatServer Manager offers. It greatly simplifies and consolidates tasks so suc-cinctly that you might oversimplify your personal assessment of its capabili-ties. Trust us: You’ll learn a whole new appreciation for this consolidatedcapability in any large-scale server deployments you may undertake.

Establishing directory trees and forestsTo get your Windows Server 2008 system up and running, the first bit of infor-mation you need to feed it is whether it’s the first server in your domain. If itis the first server, the Server Manager console helps you install the core ser-vices required to maintain a domain. If it isn’t the first server on the network,you can set the server up as another domain controller or a member serverin a domain, but with no domain responsibilities. Or you can elect to makethe server a stand alone server, which has no domain involvement at all.

New to Windows Server 2008 is the read-only domain controller (RODC),which allows organizations to deploy and utilize a DC in physically insecurelocations, where absolute security can’t be guaranteed. An RODC hosts read-only partitions of data under the AD-DS database that can’t be altered directly.The first DC in the AD forest must be a fully capable global cataloging server,not an RODC, which you’ll encounter during this setup process.

Prior to the advent of Windows Server 2008, users had no alternative but toauthenticate with a DC via some wide area network (WAN) linkage if no localDC was available. Branch offices often can’t provide or ensure adequate security measures to restrict physical access to writable DCs, which are often shared over limited network bandwidth connections to hub sites thatincrease delays and logon times. This model of operation is inefficient andunderutilizes network resources. Windows Server 2008 improves all of theseissues through RODC server deployments, which provide much finer-graincontrol over administrative access and data storage.

If you’re setting up the first domain controller on the first domain for your orga-nization, you’re setting up more than just a domain; you’re also defining the rootof your first directory tree and the root of your first directory forest. In ActiveDirectory domain lingo, a group of computers that shares a single namespaceand DNS structure is called a domain. A group of domains linked in parent-childrelationships (also like the roots of a tree) is called a tree. A domain tree is a setof domains connected through a two-way transitive trust, sharing a commonschema, configuration, and global catalog. These domains also form a contigu-ous hierarchical namespace with one domain acting as the domain root.

The first domain installed in a tree is considered the root domain for thattree. It would be considered the forest root domain only if it was also the firstdomain in the forest, which we will discuss next.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 103

Groups of trees may be linked together as a forest. The capability to organizea network into complex logical namespace structures gives Windows Server2008 (and Windows Server 2003) its scalability and versatility as an enterprise-capable network operating system.

A forest is a collection of one or more domains that share a common schema,configuration, and global catalog. A forest may or may not have a commondomain namespace. If the forest has only a single tree, it will have a commondomain namespace because it’s the only tree. Because a forest can have morethan one domain tree (it isn’t a requirement, but it’s allowed), these differentdomain trees will have their own individual, contiguous namespaces.

All the domains in a domain tree and all the trees in a single forest have theconnectivity benefit of a two-way transitive trust relationship, which is thedefault trust relationship between Windows 2000, 2003, and 2008 domains. Atwo-way transitive trust is the combination of a transitive trust and a two-waytrust. This complete trust between all domains in an Active Directory domainhierarchy helps form the forest as a single unit through its common schema,configuration, and global catalog. The first Windows 2000, 2003, or 2008domain installed in the forest is considered the forest root domain.

The first domain controller you create also defines the domain. If it’s the firstdomain on your network, it’s also the root of the first tree and the first tree inthe forest. For more detailed information on the logical structure of domains,trees, and forests, please consult the Windows Server 2008 Resource Kit.

A Windows Server 2008 computer is just a stand alone system that acts like aworkstation until you employ the configurations offered through the ICT andServer Manager wizards. Once those configurations are elected and put towork, your Windows Server 2008 machine can take on almost any role youwant, including limited Server Core roles and capacities. Unlike Windows NT,in which you have either primary or backup domain controllers, all domaincontrollers on Windows Server 2008 are essentially the same. Each and everydomain controller shares the responsibility of maintaining the domain, updat-ing changes to the Active Directory, and distributing the authentication andcommunication load.

For now, we assume that your server is the first server on the network. To setup your server, follow these steps:

1. Open Server Manager by choosing Start➪Server Manager.

The Initial Configuration Tasks (ICT) dialog box appears by default onstartup, until you configure it not to reappear. Close the ICT dialog boxto automatically invoke the Server Manager applet; otherwise, theServer Manager applet appears by default, unless and until you config-ure it not to reappear unless manually triggered.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 104

2. Under the Roles Summary entry, select Add Roles.

3. Review the information on the Before You Begin page and then click Next.

A summary of changes to be made is displayed.

4. On the Select Server Roles page, shown in Figure 6-3, select the ActiveDirectory Domain Services check box and then click Next.

5. Review the information on the Active Directory Domain Services pageand then click Next.

A summary of changes to be made is displayed.

6. On the Confirm Installation Selections page, shown in Figure 6-4, clickInstall.

The Installation Results page appears.

7. Click Close This Wizard to launch the Active Directory DomainServices Installation Wizard (dcpromo.exe).

8. On the Welcome to the Active Directory Domain Services InstallationWizard page, click Next.

9. Select the Use Advanced Mode Installation check box.

The Domain NetBIOS Name page appears, enabling you to change theNetBIOS name that is otherwise generated as a default value.

Figure 6-3:The Select

ServerRoles page.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 105

10. Under Choose a Deployment Configuration, click Create a NewDomain in a New Forest and then click Next.

The New Domain Name page appears.

11. Under the Name the Forest Root Domain page, type the full DomainName System (DNS) name for the forest root domain and then click Next.

The name must be in fully qualified domain name (FQDN) format, suchas mycompany.local or googleplex.com. This isn’t the name of yourserver; you define that when you first install Windows Server 2008, andagain with Initial Configuration Tasks. Instead, this defines the top-leveldomain name.

You can use the same name that will be used on the Internet to accessyour organization (such as googleplex.com), or you can use an inter-nal, network-only domain name that won’t be accessible from theInternet (such as mycompany.local or mycompany.ad).

12. On the Set Forest Functional Level page, select the forest functionallevel that accommodates the domain controllers that you plan toinstall in the forest, and then click Next.

Windows 2000 and Windows Server 2003 forest functional levels areincluded with additional levels provided in Windows Server 2008. At thisforest level, only the Windows Server 2008 DCs are supported.

13. On the Additional Domain Controller Options page, DNS server is thedefault selection so that your forest DNS infrastructure can be createdduring AD-DS installation. Unless you intend to use AD-integratedDNS, deselect the DNS server check box. Click Next to continue.

A supportive DNS infrastructure must already exist to enable propername resolutions within the new forest. By default, this wizard

Figure 6-4:The ConfirmInstallationSelections

page.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 106

designates that this installation be delegated the zone to this DNS serverin the authoritative parent zone prior to deployment.

If the wizard can’t create a delegation, a message says that you maycreate one manually. Click Yes to continue. Otherwise, click No and letthe wizard install DNS services with default settings on this, the first DCin the AD forest, which must be configured as a global catalog server(not an RODC). This server will hold five Operation Master roles andshould be pre-configured for static IPv4 address assignment.

14. If default values are unacceptable, type or point to the volume andfolder locations for each element on the Location for Database, LogFiles, and SYSVOL page; then click Next.

15. Type and confirm the restore mode password on the Directory ServicesRestore Mode Administrator Password page and then click Next.

The DS Restore Mode Administrator Password page appears, requestinga unique password to be used to start AD-DS in Directory Services RestoreMode for tasks that are performed offline following a system error. Thismandatory provision is new to Windows Server 2008, and failure tosupply a strong choice will prohibit you from continuing further with theAD-DS installation process.

16. On the Summary page, review your selections. Click Back to changeany necessary selections.

At this time, you may save a copy of your configuration settings by click-ing the Export Settings button. This is especially useful for deployingRODC servers elsewhere, where installation is entirely command-line ori-ented. Such deployment relies on correct syntax and layout of a crucialanswer file where all settings are acquired for installation.

Accuracy of this information is crucial to a successful automated, unat-tended installation process.

17. Select the Reboot on Completion option box to invoke an automaticrestart, or manually restart the server and the AD-DS installationwhen prompted by clicking Restart Now.

At this point, you can decide which network or application components,server roles, or features you want to install on the new server. The second,third, and fourth servers installed on a network can each have a different net-work role, including serving as one of the following:

� A peer domain controller hosting Active Directory

� A network management server hosting DHCP, DNS, WINS, Routing andRemote Access, or any other of a myriad of network services

� A file or print server

� A Web, media, or application server


11_180433 ch06.qxp 2/25/08 7:46 PM Page 107

We cover Active Directory details in Chapters 7 and 8, file servers in Chapter12, and print servers in Chapter 9. Everything you must know about theseServer Manager options appears in these chapters.

Getting the word outWindows Server 2008 includes Internet Information Services (IIS) 7.0 and supports streaming media server, also known as Windows Media Services(WMS), now at version 9.5. IIS allows you to host Web and File TransferProtocol (FTP) sites to intranet and Internet users. With WMS, you can createstunning multimedia presentations, combining audio, video, slides, interac-tive media, and more — all delivered by means of streaming connection.

You can use the IIS and WMS items on the Server Manager Wizard to jumpdirectly to the administrative tools for IIS 7.0 and Media Services. You canalso access Internet Information Services Manager (also known as the IISMMC snap-in), shown in Figure 6-5, by choosing Start➪Control Panel➪Administrative Tools➪Internet Information Services (IIS) Manager.

Figure 6-5:Internet

InformationServicesManager

for IISversion 7.0.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 108

To host Windows Media Services on your Windows Server 2008 system, youfirst need to configure it as a streaming media server by choosing Start➪Control Panel➪Administrative Tools➪Server Manager Wizard. Next, chooseAdd Roles under Roles Summary, and then select Streaming Media Wizard inthe Add Roles Wizard. This installs the streaming media server role, whichallows you to complete the setup of your server to stream audio and videocontent to clients over the Internet or your company’s intranet.

IIS 7.0 is its own application, and its features go far beyond the scope of thisbook. If you really want to set up this service on your server, see theWindows Server 2008 Resource Kit or TechNet.

Organizing the neighborhoodThe Configure Your Server Wizard’s Networking option offers you quickaccess to the configuration tools used to manage DHCP, DNS, Remote Access,and Routing.

DHCP is a method for automatically configuring TCP/IP settings on clientsand non-critical servers upon bootup. DNS is a method of resolving hostnames into IP addresses. We cover both DHCP and DNS in Chapter 10.

Although DHCP and DNS qualify as neat stuff, they’re fairly complex topicsthat aren’t covered in great detail in this book. Please look into the WindowsServer 2008 Resource Kit for complete instructions on their configuration andmanagement.

Routing and Remote Access is a service that combines two functions: routingand remote access (duh!):

� Routing is the capability to direct network communications across alocal area network (LAN) or — with the help of a remote access link —across a wide area network (WAN).

� Remote Access is the capability to establish network connections usingeither telephone or Integrated Services Digital Network (ISDN) lines.

Windows Server 2008 can act as a client to connect to remote systems, or itcan act as a server to accept inbound calls. The Remote Access and Routingselections under the Networking option (in the Configure Your Server Wizard)offer a link to the Routing and Remote Access management console shown in Figure 6-6. With this console, you can install and configure Routing andRemote Access.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 109

Here are the basic steps to enable this service:

1. Open the Routing and Remote Access management console (Start➪Administrative Tools➪Routing and Remote Access).

2. Click the Routing and Remote Access item in the left pane.

The list of servers on the network is displayed.

3. Right-click your server and choose Configure and Enable Routing andRemote Access.

The Routing and Remote Access Server Setup Wizard appears.

4. Click the Next button to continue.

The wizard provides a selection list of common configurations and theoption to manually define settings. The options available in the CommonConfigurations windows are as follows:

• Remote Access (dial-up or VPN)

• Network Address Translation (NAT)

• Virtual Private Network (VPN) Access and NAT

• Secure Connection between Two Private Networks

• Custom Configuration

5. Choose the option that best matches your needs or choose CustomConfiguration and set things up manually.

Figure 6-6:The Routingand Remote

Accessmanagement

console.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 110

6. Click Next.

Each of the four common configuration suggestions prompt you for fur-ther details to fine-tune the system. For more information on these selec-tions, consult the Windows Server 2008 Resource Kit.

7. Just follow the prompts through the rest of the wizard to complete theconfiguration.

Keep in mind that to enable routing, you need at least two network interfaces.These can be NICs, specialized connections to the Internet, or even modems.

Although it looks like everything has been enabled, we recommend that youreboot before you make any further modifications. After the reboot, Routingand Remote Access is configured and functioning. All it needs now are net-work interfaces and a bit of configuration. The Routing and Remote Accessinterface is a graphical user interface (GUI), which — compared to the previ-ous command-line, text-only control and display — is a great improvement.Furthermore, this management tool allows you to install routing protocols,monitor interfaces and ports, watch dial-up clients, define access policies, andmodify logging parameters. You’ll never want to use the ROUTE command again!

However, routing isn’t a subject for the timid. For this reason, we recommendthat you consult the Windows Server 2008 Resource Kit for more information.We don’t want to leave you completely in the dark, so we list a few more fea-tures of Remote Access in the “Other frills” section a little later in the chapter.

Establishing Remote ConnectionsRemote communications consist of two distinct elements: the client and theserver. Windows Server 2008 can either establish a connection to a remotesystem (as a dial-up client) or accept connections from remote clients (as adial-up host). For more information on using Windows Server 2008 as a dial-up host, please see the Windows Server 2008 Resource Kit or consultMicrosoft TechNet articles.

Getting connectedUsing Windows Server 2008 as a dial-up client isn’t terribly difficult. In mostcases, you dial out to an Internet Service Provider (ISP) to make an Internetconnection. We can take you step-by-step through the process of establishingsuch a connection if you have the following pieces of information at hand:


11_180433 ch06.qxp 2/25/08 7:46 PM Page 111

� Phone number of the ISP

� Logon name

� Logon password

For this type of connection, we assume that you have a modem, not an ISDNline or other connection device. If you don’t have a modem, you definitelyneed one for this exercise. You can install a modem using the Add/RemoveHardware applet from the Control Panel. If you follow the prompts, you’ll beamazed at how easy it is to do the installation.

We also assume that your ISP has a simple logon procedure. If you requirespecial characters to be prefixed to your logon name, must traverse a logonmenu, or must execute a logon script, you need to consult your ISP forinstructions on how to configure Windows Server 2008 to properly establisha connection. Fortunately, most ISPs have a simple logon process.

Here’s how to get things rolling:

1. Choose Start➪Connect To to display the Network Connections screen,as shown in Figure 6-7.

You should have a modem installed before you follow these steps.

2. Click the Set Up a Connection or Network link.

3. Under Choose a Connection Option, select Set Up a Dial-UpConnection and then click Next.

4. Fill in the Telephone Number and Destination Name entries, selectwhether this object is shared among other users, and click Next.

Figure 6-7:The

NetworkConnectionsmanagement

console(after a dial-

up objecthas beendefined).


11_180433 ch06.qxp 2/25/08 7:46 PM Page 112

5. Type the User Name and Password into each corresponding field,choose an optional Domain, and click Create.

6. When the connection is ready to use, you may click Connect; other-wise, click Close.

That’s it! An icon now appears in the Network Connections window with thename you provided. Double-click this icon to display the Connection dialogbox. Click the Dial button to establish the connection. After a few noisymoments, you’ll establish a connection and be ready to surf!

You can view the status of the connection by placing your mouse cursor overthe connection icon (the one with the two overlapping computers) in theicon tray. You can also double-click the icon to display a dialog box withmore information.

You can change the parameters of the dial-up connection by right-clicking theicon in the Network Connections window and choosing Properties. In thedialog box for the Network Connections Property page, you can change everyaspect of the connection.

To end the connection, right-click the connection icon in the icon tray andchoose Disconnect — or double-click the connection icon to display theDetails box and then click Disconnect.

Other frillsWindows Server 2008 includes all the latest capabilities that you wouldexpect in a Windows-based remote access server. You’ll recognize most ofthese from Windows Server 2003, and some from Windows 2000 and WindowsNT. But even with the latest enhancements, Windows Server 2008 hasretained nearly all of its old capabilities and functions. That means if youcould accomplish something using Windows NT 4.0, Windows 2000, orWindows Server 2003 RAS, you can do it better using Windows Server 2008Remote Access.

These features include but aren’t limited to the following:

� Point-to-Point Protocol (PPP) for dial-out and dial-in connections. SerialLine Internet Protocol (SLIP) is still retained for outbound connectionsto non-PPP systems. (Windows XP Professional doesn’t support SLIP forincoming connections; only Windows Server 2008 can use TCP/IP to con-nect through SLIP.)

� Multilink PPP for aggregating similar connections into a single pipeline.

� Point-to-Point Tunneling Protocol (PPTP) for link establishment over theInternet for secure communications.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 113

� Authentication encryption to secure logon passwords.

� VPN security features: IPSec and L2TP. (See the Windows Server 2008Resource Kit or TechNet for more information.)

� Support for smart cards (which are small cards added to the system tostore security information).

� Full Remote Authentication Dial-in User Service (RADIUS) support.

� Shared connections (a single computer sharing its connection withother network clients).

For an in-depth discussion of Remote Access, check out the Windows Server2008 Resource Kit.


11_180433 ch06.qxp 2/25/08 7:46 PM Page 114

Chapter 7

Doing the Directory ThingIn This Chapter� Understanding a directory service

� Introducing the Windows Server 2008 Active Directory

� Planning for Active Directory

� Installing Active Directory

� Coping with multiple domains

In this chapter, you look at the updates made to the directory service knownas Active Directory. You find out what a directory service is, why it’s required

for a Windows domain and forest structure, and how to plan for and installthe Windows Server 2008 Active Directory. It may not be the greatest thingsince sliced bread, but it’s at least as good as cracked pepper crackers!

What you won’t find here, but might benefit from knowing, is that ActiveDirectory cleanly integrates with virtual machines in Virtual Server capaci-ties. This level of integration enables delegated administration and secure,authenticated guest access. And for those of you not already in the know,Windows Server Virtualization is the logical partitioning of server softwareresources so that multiple instances of an operating system (such asWindows Server 2008) can operate simultaneously, side by side.

What Is a Directory Service?You may not know it, but you use directory services all the time. When youget hungry and crave pizza, you open your telephone directory and lookunder P for this peerless paragon of sustenance. That telephone book is akind of directory service — namely, it contains the information you need,along with a way to locate the information you require. (In this case, it’s inalphabetical order.) A computerized directory service works pretty much thesame way: It contains information about numerous aspects of your company,organizes that information, and provides one or more tools to help youexplore the information it contains.

12_180433 ch07.qxp 2/25/08 7:46 PM Page 115

The first operating system from Microsoft to offer directory services wasWindows Server 2000. Novell NetWare has its own native directory service —Novell Directory Services (NDS) or eDirectory in NetWare 6 — and it’s beenoffered in all the released Novell versions of Network Operating System (NOS)since 1993. Microsoft bases the entire Windows Server 2003/2008 domain struc-ture (which started with Windows Server 2000) around its directory services,rather than simply offering them as an add-on to previous domain implemen-tations. Microsoft’s directory service is called Active Directory.

Although Active Directory and Novell Directory Services don’t interactdirectly, you can synchronize Active Directory with Novell Directories usingMicrosoft Directory Synchronization Services (MSDSS). MSDSS is includedwith Services for NetWare 5 and up, and enables Active Directory synchro-nization with NDS and NetWare 3.x binderies so that system administratorscan reduce overall directory management by administering one, rather thantwo, separate directory services.

When it comes to names, Microsoft seems obsessed with the word active.There’s Active Desktop, ActiveX, and Active Directory. However, the term isaccurate — indeed, Active Directory is active (when used correctly).

Meeting Active DirectoryTo do its job properly, a directory service must meet three primary requirements:

� It must include a structure to organize and store directory data.

� It must provide a means to query and manage directory data.

� It must supply a method to locate directory data and the network andserver resources that might correspond to such data. (For example, ifthe directory data includes a pointer to a file and a printer, the directoryservice must know where they reside and how to access them.)

Windows Server 2008’s Active Directory fulfills all these requirements usingvarious technologies. For more information about Active Directory, pick up acopy of Active Directory For Dummies (Wiley Publishing).

Organizing and storing dataThe structure of Active Directory follows the ISO X.500 protocol guidelines.(ISO stands for International Organization for Standardization.) Figure 7-1shows the hierarchical structure of an X.500 directory. This is a commonstandard used in nearly all directory services, including not only Microsoft’s


12_180433 ch07.qxp 2/25/08 7:46 PM Page 116

Active Directory but also Novell Directory Services (NDS), Netscape prod-ucts, and other implementations. X.500 has proven to be useful for this appli-cation because it organizes data in a hierarchy that breaks directory infor-mation into a variety of useful containers, such as countries, organizationalunits, subunits, and resources. The example in Figure 7-1 organizes the direc-tory down to the user object level.

The two X.500 standards most commonly used today are the 1988 and 1993X.500 versions. The 1993 version includes a number of advances over theolder 1988 version. Happily, the 1993 version is the standard upon whichMicrosoft built Active Directory for Windows Server 2008.

Managing dataA special-purpose protocol known as the Lightweight Directory AccessProtocol (LDAP) provides the second ingredient for the Active Directory ser-vice. LDAP normally utilizes TCP port 389 as its main network transport con-nection. As the latter part of its name suggests, LDAP is designed specificallyto retrieve and access directory data. (The Lightweight part of its name stemsfrom the fact that it’s a stripped-down version of an older, more cumbersomeX.500 Directory Access Protocol.)

Root

Countries

USA UKOrganizations/Departments/

Groups

Sales Marketing

People/Objects

Australia

Figure 7-1:The

hierarchicalstructure of

an X.500directory.

117Chapter 7: Doing the Directory Thing

12_180433 ch07.qxp 2/25/08 7:46 PM Page 117

The terminology used in this chapter may seem familiar to those of you whoare acquainted with Microsoft Exchange Server’s directory service. This isbecause the Active Directory service in Windows Server 2008 shares acommon heritage (and common technology) with the Exchange Server direc-tory service. In fact, an Exchange connector is supplied with Windows Server2008 to link these two directory services and to replicate data between them.Not surprisingly, this software component is called the Active DirectoryConnector.

More information on LDAP appears on the RFC 1777 (Request For Comments)page at www.ietf.org/rfc/rfc1777.txt.

Locating data and resourcesIf Windows Server 2008 directory data is structured using the X.500 protocoland this data is accessed using LDAP, there also must be a way to locatedirectory data. Time for the missing third ingredient! How does ActiveDirectory meet the third and final requirement for a working directory ser-vice? We’re glad you asked. Active Directory relies on the well-known andwidely used Internet standard called the Domain Name Service (DNS) as itslocator service.

Of Domains and ControllersBehind every great domain is a great domain controller (so the ArethaFranklin song goes), but before you look at how Windows Server 2008 usesdomain controllers, a quick recap of Windows NT 4.0 usage is in order.

The Windows Server 2008, Windows Server 2003, and Windows 2000 way ofdoing the domain controller thing is quite different from the Windows NT 4.0way — mainly because of Active Directory. Okay, so we don’t have to repeatit over and over, Windows Server 2003/2008 and Windows 2000 all supportActive Directory in the same way, so what you see here for Windows Server2008 is also true of Windows Server 2003 and Windows 2000. (Those fewsmall differences concern mainly high-level schema control and naming man-agement and are too detailed for this book.)

In the beginning . . .In Windows NT 4.0, 15-character NetBIOS (Network Basic Input-OutputSystem) names represent domains. These domains revolve around a singleuser/group/policy database called the Security Accounts Manager (SAM)


12_180433 ch07.qxp 2/25/08 7:46 PM Page 118

database, stored in writable format on a single, primary server known as theprimary domain controller (PDC).

NetBIOS names can be a total of 16 characters long. On Microsoft operatingsystems, the NetBIOS name is limited to 15 characters. The 16th character ishidden from view and is used as a NetBIOS suffix by Microsoft Networkingsoftware to identify services installed on a given system. Additional informationon Microsoft NetBIOS suffixes is available at http://support.microsoft.com/default.aspx?scid=KB;en-us;q163409.

Access to the domain database is required to access a domain’s resources, so any model that depends on a single domain controller introduces a singlepoint of failure. To improve availability and reliability of the domain data-base, Microsoft added a second type of server to this mix, known as a backupdomain controller (BDC), which stores a read-only version of the SAM data-base. Users can access the BDC to log on to a domain and to investigate user,group, or account information, but changes to the database can be appliedonly to the PDC.

In this kind of domain environment, the PDC must periodically update theSAM database on all BDCs in its domain to keep them synchronized. Should aPDC ever fail, a BDC can be promoted to become the PDC and to write-enableits copy of the SAM database. However, there’s an unbreakable master-slaverelationship between PDCs and BDCs, because changes to the SAM databasemust be applied to the PDC first, then copied from the PDC to all BDCs.Therefore, if the PDC goes down, no changes can be applied to the SAM data-base unless the PDC is brought back up or a BDC is promoted to become thenew PDC instead. Phew! Got all that?

Although this sounds like a form of subjugation, a master-slave relationship iscomputerese for “everything that changes on the master is copied to all slaves”and “only a master accepts changes and copies all changes to its slaves.”

Windows Server 2008 no longer uses NetBIOS to name its domains; instead, it uses DNS domain names. (See Chapter 10 for more information on DNSdomain names.) For example, rather than a Dummies domain, you might havesales.dummies.com as a legal domain name. However, you can still use aNetBIOS name to refer to a domain, which is a requirement for all non–ActiveDirectory systems, such as the Windows 98 and Windows NT client operatingsystems, sometimes called legacy clients. (That’s why you define one whenyou install Active Directory in Chapter 6.) Likewise, the concept of a SAM is no longer used in a Windows Server 2008 domain. All information aboutusers, passwords, and groups is stored in Active Directory. Therefore, insteadof servers that read from or write to the SAM, servers must supply the LDAPservice that’s needed to interface with Active Directory.

On Windows Server 2008, network servers that host the LDAP service aredomain controllers. As in Windows NT–based networks, these servers are


12_180433 ch07.qxp 2/25/08 7:46 PM Page 119

responsible for authentication and other domain activities. In Windows Server2008–based networks, however, servers use Active Directory to provide theservices that their older counterparts delivered using the SAM database.

Wherefore art thou, BDC/PDC?The concept of PDCs and BDCs isn’t used in the Active Directory domainstructure of Windows 2000 and Windows Server 2003/2008. In this brave newworld, all domain controllers are equal (although some are indeed moreequal than others). How is this equality maintained? A process known as multimaster replication ensures that when changes occur on any domain con-troller in a domain, these changes are replicated to all other controllers inthat domain. Therefore, instead of the older master-slave relationshipbetween PDC and BDCs, you have a peer-to-peer relationship among alldomain controllers in a Windows Server 2008 domain (and beyond) wheretrust relationships exist. (A trust relationship is a special interdomain accessarrangement that you define when users in one domain require access toresources in another domain.)

Because you can’t upgrade all your domain controllers from Windows NT 4.0to Windows Server 2008 in one fell swoop, Windows Server 2008 allows youto operate your domains in a mixed mode. This allows Windows NT 4.0 BDCs(but not PDCs) to participate in a Windows Server 2008 domain. The idea isthat you begin by upgrading the NT4 PDC to Windows Server 2008 and thenproceed on to other server-based systems in the enterprise. This will ofteninclude the upgrading or total demotion of all existing NT4 Server class BDCs.

For a Windows NT 4.0 BDC to function properly, it needs to obtain updatesfrom a PDC. Therefore, a single Windows Server 2008 domain controllerimpersonates a Windows NT 4.0 PDC, which allows changes to be replicatedto any Windows NT 4.0 BDCs in that domain. This capability of a WindowsServer 2008 domain controller is known as a Flexible Single Master Operations(FSMO) role (also known as operations master role). This specific server roleis called PDC emulator.

Even in a full-fledged, Windows Server 2008–only environment, the PDC emu-lator operations master still plays an important part in the scheme of things.It performs certain duties that no other DCs in the domain handle. The PDCemulator receives preferential replication of password changes performed byother domain controllers in the domain. When passwords are changed, ittakes time to replicate the change in every domain controller in the domain.That synchronization delay might cause an authentication failure at a domaincontroller that hasn’t yet received the change. Before that remote domaincontroller denies access to whatever is trying to perform the access, it for-wards the authentication request to the PDC emulator because the PDC emu-lator may have different information (for example, a new password).


12_180433 ch07.qxp 2/25/08 7:46 PM Page 120

In a mixed mode domain operation, clients can use NetBIOS names to accessold-style domain services, or they can use Active Directory to access WindowsServer 2008 domain services. To find a Windows Server 2008 domain controller,clients must query a DNS server for a service record that takes the generalform that follows:

_ldap._tcp.<domain name>

where _ldap._tcp.dummies.com represents the domain controllers for thedummies.com domain, for example.

Windows Server 2008 domain controllers don’t have to run the DNS servicelocally. The only requirement is that the DNS servers support the servicerecord types required so that those domain controllers can be located asneeded.

Knowing What Makes Active Directory Tick

To put things in a technobabble nutshell, Active Directory is implementedusing an X.500 structure for directory data, an LDAP interface to access direc-tory data, and Dynamic DNS as a locator mechanism for directory data. So,now that you know all this stuff about Active Directory, what does it giveyou? The following list recounts some of the main features and advantages ofActive Directory:

� Security: Information is stored in a secure form. Each object in ActiveDirectory has an access control list (ACL) that contains a list ofresources that may access it along with which access privileges aregranted to each such resource.

� Query capabilities: Active Directory generates a global catalog to pro-vide a flexible mechanism for handling queries. Any client that supportsActive Directory can query this catalog to request directory data.

� Replication: Replication of the directory to all domain controllers in a domain means easier access, higher availability, and improved faulttolerance.

� Extensibility: Active Directory is extensible, which means that newobject types can be added to a directory or existing objects can beextended. For example, you could easily add a salary attribute or anemployee ID to the user object. (An attribute is extra information aboutan object.)


12_180433 ch07.qxp 2/25/08 7:46 PM Page 121

� Multiple protocols: Communication between directory servers or acrossdirectories from multiple vendors can use numerous networking proto-cols because of Active Directory’s X.500 foundation. These protocolscurrently include LDAP Versions 2 and 3 and the HyperText TransferProtocol (HTTP). Third parties can extend this capability to includeother protocols as well, if needed.

� Partitioning: In an Active Directory environment, information may bepartitioned by domain to avoid the need to replicate large amounts ofdirectory data. Each such domain is called a tree because of the way thatX.500 structures directory data into an interlinked hierarchy with asingle root. In a large and complex network, a collection of domainsforms a group of trees that is called — you guessed it — a forest!

When you partition Active Directory data into different trees, it doesn’t meanthat Active Directory can’t be queried for information from other domains.Global catalogs contain a subset of information about every object in anentire domain forest, which allows such searches to be performed on theentire forest through the agencies of your friendly local domain controller.

What replication meansIn a Windows Server 2008 domain, all domain controllers are equal.Therefore, if you apply changes to any domain controller, the completedomain directories of all other domain controllers must be updated (througha process called multimaster replication) to record those changes.


Domain treesA domain tree is a set of Windows 2000 domainsor Windows Server 2003/2008 domains (or both)connected by a two-way transitive trust andsharing a common schema, configuration, andglobal catalog. To be considered a true domaintree, all domains must form a contiguous hier-archical namespace. A single domain by itselfwith no child names is still considered a tree.

The first domain installed in a domain tree is theroot domain for that tree. It is considered theforest root domain if it is also the first domain inthe forest. An Active Directory forest is a col-lection of one or more Windows 2000 domains

or Windows Server 2003/2008 domains (or allthree) that share a common schema, configu-ration, and global catalog. Active Directoryforests have a noncontiguous namespace.

All domains in a domain tree and all trees in asingle forest have the connectivity benefit of thetwo-way transitive trust relationship, which isthe default trust relationship between Windows2000 and Windows Server 2003/2008 domains.This complete trust between all domains in anActive Directory domain hierarchy helps to formthe forest as a single unit through its commonschema, configuration, and global catalog.

12_180433 ch07.qxp 2/25/08 7:46 PM Page 122

Here’s how multimaster replication works: Active Directory uses an updatesequence number (USN) to track changes and updates made to ActiveDirectory objects. As changes are made to the objects, this number is incre-mented by 1 on each object affected by the change. For example, a useraccount object that was updated to include a home telephone number wouldhave its USN incremented by 1 to reflect that it had been modified. This modi-fication is then sent to the other domain controllers in the domain. Theobject with the highest USN — that is, the most recently updated object —overwrites any object with a lower USN.

USN increments are atomic operations; in English, this means that the incre-ments to the USN’s value and the actual change to directory data occur at thesame time. If one part fails, the whole change fails; therefore, it isn’t possibleto change any Active Directory object without its USN being incremented. Thus,no changes are ever lost. Each domain controller keeps track of the highestUSNs for the other domain controllers with which it replicates. This allows thedomain controller to calculate which changes must be replicated during eachreplication cycle. In the simplest terms, the highest-numbered USN always wins!

At the start of each replication cycle, each domain controller checks its USNtable and queries all other domain controllers with which it replicates for theirlatest USNs. The following example represents the USN table for Server A.

Domain Controller USN

DC B 54

DC C 23

DC D 53

Server A queries other domain controllers for their current USNs and getsthese results:


DC B 58

DC C 23

DC D 64

From this data, Server A can calculate the changes it needs from each server:


DC B 55–58

DC C Up to date

DC D 54–64

It would then query each server for the updates it needs.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 123

Up-to-date vectors are two different segments of data that contain a globallyunique identifier (GUID) and the Update Sequence Number (USN). The Up-to-date vector is made up of server USN pairs held by the two domain con-trollers containing the highest originating updates. (This is usually thedomain controller in which the originating update occurred and then itsimmediate replication partners.) The high watermark vector contains thehighest attribute USN for any given object. By using both of these vectors,domain controllers can calculate that a given replication of data has alreadybeen received to prevent further replication of any particular update.

Because objects have properties, they also have property version numbers(PVNs). Every property of an object has a PVN, and each time a property ismodified, its PVN is incremented by 1. (Sound familiar?) These PVNs are usedto detect collisions, which happen when there are multiple changes to thesame property for an object. If a collision occurs, the change with the highestPVN takes precedence.

If PVNs match, a time stamp is used to resolve any such conflicts. Timestamps are a great second line of defense in avoiding collisions. They explic-itly mark when each change to the directory data is made, thus enabling thesystem to determine whenever one change takes precedence over another.

In the highly unlikely event that the PVNs match and the time stamp is thesame, a binary buffer comparison is carried out and the larger buffer sizetakes precedence. PVNs (unlike USNs) are incremented only on originalwrites, not on replication writes. PVNs aren’t server specific but travel withthe object’s properties.

A propagation-dampening scheme is also used to stop changes from beingrepeatedly sent to other servers. The propagation-dampening scheme usedby Windows Server 2008 prevents logical loops in the Active Directory struc-ture from causing endless proliferation of updates and prevents redundanttransmission of updates to servers already current.

The grand schema of thingsEvery object in an Active Directory forest is part of the same schema. Theschema defines the different types of information that Active Directoryobjects can contain and store. The two main data definitions outlined in theschema are attributes and classes.

For example, a user object takes attributes such as name, address, and phonenumber. This collection of attributes and their definitions is called the schema.You may think of an object’s schema as a laundry list of its attributes or achecklist of its capabilities. The default schema supplies definitions for users,


12_180433 ch07.qxp 2/25/08 7:46 PM Page 124

computers, domains, and more. You can have only one schema per domainper object because only one definition per object is permitted.

The default schema definition is defined in a file named SCHEMA.INI, whichalso contains the initial structure for the NTDS.DIT file in which ActiveDirectory data is stored. SCHEMA.INI is located in the %systemroot%\ntdsdirectory: It’s an ASCII file, so you can view it or print it as you like.

By default, the Active Directory schema can’t be edited easily. For example,you can add a salary attribute or an employee ID to the user object. In mostcases, you should leave schema editing to the most senior programmers orsystem administrators because changes made to the schema can’t beundone, and incorrect edits can severely damage Active Directory and affectthe entire forest. Some applications, such as Exchange, edit the schema foryou when they’re installed. If you feel the need to edit the schema for somereason, lie down and wait for that feeling to go away. If it comes back, hire aprofessional Active Directory programmer.

An entire enterprise forest (a collection of Active Directory trees in a singleorganizational container) shares a single schema. If you change that schema, itaffects every domain controller in every linked domain. Therefore, you’d betterbe sure that any changes you make are both correct and desirable. Only experi-enced programmers or schema administrators should be allowed to change theschema. For more information on extending the schema, search the MicrosoftWeb site (www.microsoft.com) for Active Directory Programmer’s Guide.

Global catalogsThe global catalog contains entries for all objects in a single Active Directoryforest (which is a collection of domain trees that may or may not explicitlyshare a single, contiguous namespace). It contains all the properties for allthe objects in its own domain, and it contains a partial subset of propertiesfrom all the remaining objects in the forest. The entire forest shares a singleglobal catalog. Multiple servers hold copies of the entire catalog; these serversare domain controllers called global catalog servers. To hold a copy of theglobal catalog, a server must maintain a copy of the Active Directory, whichautomatically makes the server a domain controller.

Searches across the entire forest are limited to the object properties thatappear in the global catalog. Searches in a user’s local domain can be for anyproperty when you perform a so-called deep search on properties not in theglobal catalog.

Don’t configure too many global catalogs for each domain because the repli-cation needed to maintain such catalogs can levy a burden on a network. Oneglobal catalog server per site is usually sufficient.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 125

Although any given search can encompass a specific container or organiza-tional unit (OU) in a domain, a specific domain, a specific domain tree, or theentire forest, in most cases full searches involve querying the entire ActiveDirectory forest through the global catalog.

Planning for Active DirectoryIf you’re using some version of Windows NT, you may have multiple domainswith several trust relationships between individual pairs of domains.Theoretically, you could just upgrade each domain, keep existing trust rela-tionships, and make no changes. If you did that, however, you’d lose theadvantages of Active Directory.

If you’re running a Windows 2000 domain, a bit of planning is still necessaryto upgrade. Even though Windows Server 2003/2008 and Windows 2000 canboth be domain controllers in the same domain, we generally don’t recom-mend using two versions of a product to perform a single function. In mostcases, using the same version of operating system (including upgrades andpatches) keeps unexpected hiccups from corrupting your domain and bring-ing down your network.

That said, you can deploy Windows Server 2008 systems into a domain as domain controllers. You can even perform an upgrade installation on aWindows 2000 domain controller to convert it to a Windows Server 2003/2008(“Longhorn”) domain controller. Just be careful. Don’t upgrade every systemat once. Upgrade one or two, and then test everything to make sure your net-work still performs as you expect it to. Always leave yourself an out — theability to roll back to a previous configuration, when things were workingproperly.

In some cases, businesses using Windows 2003 won’t move to WindowsServer 2008 in a hurry. The most likely candidates for Windows Server 2008migration are Windows Server NT or 2000 shops that have been waiting forthe latest and greatest generation of Active Directory servers from Microsoftbefore jumping on the bandwagon. Therefore, the remainder of the discus-sion of Windows Server 2008 migration focuses on upgrading from WindowsNT or 2000. If you need to upgrade from Windows Server 2000 or 2003 and arealready using Active Directory, some of the following applies, but the detailswill differ somewhat from case to case.

Before you upgrade a single domain controller, you should create a plan foryour domain. Then, you should use this plan to govern the order and methodfor your migration from Windows NT domains to Windows Server 2008 ActiveDirectory.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 126

What’s in a namespace?A namespace is a logically bounded region that contains names based on astandardized convention to symbolically represent objects or information.Specific rules guide the construction of names within a namespace and theapplication of a name to an object. Many namespaces are hierarchical innature, such as those used in DNS or Active Directory. Other namespaces,such as NetBIOS, are flat and unstructured.

In Windows Server 2008, domains use full-blown DNS names rather thanNetBIOS names. This creates interdomain parent-child relationships — where onedomain may be created as a child of another — that Windows NT can’t support.For example, sales.dummies.com is a child of the dummies.com domain. (Achild domain always contains the full parent name within its own name.)

It’s important to remember that parent-child relationships can be created onlyfrom within a parent domain using DCPROMO, the Active Directory InstallationWizard. The parent domain must exist before you create any child of thatparent. Thus, the order in which you create or upgrade domains is crucial!

In the next section, you find more reasons why it’s important to create yourdomains in a certain order. But even before you concern yourself with siteissues, you need to be aware that you should always create an enterprise rootdomain before creating any other domain. For example, if you begin by creatingthe dummies.com root domain, the sales.dummies.com domain and all otherdependent domains can then be created as children of the dummies.com rootdomain. This structure helps when searching other domains and enables thepossibility of moving domains around in future versions of Windows Server.

Making sites happenSites in Active Directory are used to group servers into containers that mirrorthe physical layout of your network. This organization lets you configurereplication between domain controllers. Actually, sites are primarily used forreplication control over slower wide area network (WAN) links between sepa-rate sections of the same network. A number of TCP/IP subnets can also bemapped to sites, which allows new servers to join the correct site automati-cally, depending on their IP addresses. This addressing scheme also makes iteasy for clients to find the domain controller closest to them.

When you create the first domain controller, a default site called Default-First-Site is created, and the domain controller is assigned to that site. Subsequentdomain controllers are added to this site, but they can be moved. You canalso rename this site to any name you prefer.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 127

Sites are administered and created using the Active Directory Sites andServices Microsoft Management Console (MMC) snap-in. To create a new site,do the following:

1. Start Active Directory Sites and Services, shown in Figure 7-2. (ChooseStart➪Control Panel➪Administrative Tools➪Active Directory Sites andServices.)

2. Right-click the Sites branch and choose New Site.

The new object Site dialog box appears.

3. Type a Link Name for the site (for example, NewYork).

The name must be 63 characters or less and can’t contain “.” or spacecharacters. You must also select a site link from the list. By default,DEFAULTIPSITELINK is created during the DCPROMO process. If youhaven’t created additional sites manually, this is the only one listed.

4. Select a site link to contain the new site and then click OK.

5. Read the confirmation creation dialog box and then click OK.

You must be a member of the Enterprise Admins group in the forest or theDomain Admins group in the forest root domain. Otherwise, unless you’redelegated the appropriate authority, you can’t make these changes.

For best security practice, use Run as Administrator from your lowest-leveluser account and use administrative credentials.

Now that the site is created, you can assign various IP subnets to it. To do so,follow these steps:

1. Start Active Directory Sites and Services. (Choose Start➪Administrative Tools➪Active Directory Sites and Services.)

2. Expand the Sites branch.

Figure 7-2:Active

DirectorySites andServices.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 128

3. Right-click Subnets and choose New Subnet.

The New Object — Subnet dialog box appears.

4. Type the name of subnet in the form <network>/<bits masked>.

For example, 200.200.201.0/24 is network 200.200.201.0 with subnet mask255.255.255.0.

5. Select the Site with which to associate the subnet (for example, New York).

6. Click OK.

You now have a subnet linked to a site. You can assign multiple subnets to asite if you like. For more information on subnets, see Chapter 10. For evenmore details, search the Windows Server 2008 Help menu for subnets.

Oh, you organizational unit (OU), youThe organizational unit (OU) is a key component of the X.500 protocol. As thename suggests, organizational units contain objects in a domain that areorganized into logical containers, thus allowing finer segregation and controlwithin a domain. Organizational unit containers can contain other organiza-tional units, groups, users, and computers.

OUs may be nested to create a hierarchy to match the structure of your business or organization closely. Using OUs, you can eliminate cumbersomedomain models developed for Windows NT Server–based domains (themaster domain model, for example, in which several resource domains useaccounts from a central user domain). Using Active Directory, you can createone large domain and group resources and users into multiple, distinct OUs.

The biggest advantage of OUs is that they allow you to delegate authority. Youcan assign certain users or groups administrative control over an OU, whichallows them to change passwords and create accounts in that OU but grantsno control over the rest of the domain. This capability is a major improvementover Windows NT domain administration, which was an all-or-nothing affair.

Installing Active DirectoryIn Windows NT, you set up each server’s type during installation. Theserver’s function can fill one of the following roles:

� Stand-alone/member server

� PDC

� BDC


12_180433 ch07.qxp 2/25/08 7:46 PM Page 129

With the exception of PDC/BDC swapping, a server’s role can’t be changedwithout reinstalling the operating system. For example, you can’t change amember server to a domain controller without reinstalling Windows NT.

Windows Server 2008 has left all that behind by allowing you to install allservers as normal servers. You can use a wizard (covered in the followingsection) to convert normal servers to domain controllers, or domain con-trollers to normal servers. This facility also gives you the ability to movedomain controllers from one domain to another by demoting a domain con-troller to a member server and then promoting it to a domain controller in adifferent domain. In the Windows NT environment, demoting and promotingdomain controllers typically requires reinstalling the operating system orjumping through some pretty major hoops.

Promoting domain controllersWindows Server 2008 allows you to convert servers from normal servers todomain controllers and vice versa. To do this, you use the Active DirectoryInstallation Wizard. You can access this wizard through the Configure YourServer tool (Start➪Server Manager — see Chapter 6) or by executingDCPROMO from the RUN command (or command prompt). You can use theActive Directory Installation Wizard also to remove Active Directory from adomain controller; this returns the system to a member server state.

For the step-by-step of installing Active Directory and creating a domain con-troller, go to Chapter 6.

Active Directory’s database and shared system volumeAlthough you can think of Active Directory as an information bubble, it’s storedin file form on each domain controller in a file named %systemroot%\NTDS\ntds.dit. This file is always open and can’t be backed up using a simple filecopy operation. However, like old methods for backing up SAM in WindowsNT 4.0, the new NTBACKUP program included with Windows Server 2008includes an option to take a snapshot of Active Directory and back up thatinformation. (This option is called System State.) There’s even a special direc-tory restoration mode you must boot into to restore an Active Directorybackup! (Chapter 13 covers backups in detail.)

The share system volume, or SYSVOL, is the replication root for each domain.Its contents are replicated to each domain controller in the domain using theFile Replication Service. The SYSVOL must reside on an NTFS 5.0 volumebecause that’s a File Replication Service requirement.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 130

SYSVOL is also a share that points (by default) to %systemroot%\SYSVOL\sysvol, which contains domain-specific areas, such as logon scripts. Forexample, the logon share NETLOGON for domain savilltech.com points to%systemroot%\SYSVOL\sysvol\savilltech.com\SCRIPTS. You cansimply copy files used for logging on to or off this directory, and the changeis replicated to all other domain controllers in the next replication interval(which by default is set to 15 minutes).

Modes of domain operationWindows Server 2008 domains operate in four modes: mixed, native, .NET,and .NET interim:

� Mixed mode domains allow Windows NT 4.0 BDCs to participate in aWindows Server 2008 domain.

� In native mode, only Windows Server 2008/2003–based and Windows2000–based domain controllers can participate in the domain, andWindows NT 4.0–based BDCs can no longer act as domain controllers.

� In .NET mode, only servers running Windows Servers 2008 can act asdomain controllers.

� The .NET interim mode is used when upgrading a Windows NT 4.0domain to the first domain in a new Windows 2008 forest.

The switch from mixed to native mode or native mode to .NET mode can’t bereversed, so don’t change mode until all domain controllers are converted toWindows Server 2008, Windows Server 2003, or Windows 2000 for nativemode — or just Windows Server 2008 for .NET mode. Also, note that you can’tadd more Windows NT 4.0–based BDCs after the domain mode is switched.

In addition, a switch to native mode allows the use of universal groups, which,unlike global groups, can be nested inside one another. Older NetBIOS-basedclients remain able to log on using the NetBIOS domain name even in nativemode. Universal groups are also supported in .NET mode.

Changing a domain’s mode is known as raising a domain’s functionality. Youcan choose to step up to native mode from mixed mode, step up to .NETmode from native mode, or jump directly to .NET mode from mixed mode. Becareful: This is a one-way switch. After you raise the functionality, you’ll haveto reinstall Windows Server to return to a lower functionality.

To raise a domain’s functionality, perform the following steps on a WindowsServer 2008 domain controller:

1. Start Active Directory Domains and Trusts. (Choose Start➪Administrative Tools➪Active Directory Domains and Trusts.)


12_180433 ch07.qxp 2/25/08 7:46 PM Page 131

2. In the console tree, select and right-click the domain you want tochange.

3. Click Raise Domain Functional Level.

The Raise Domain Functional Level dialog box appears, as shown in Figure 7-3.

4. Under Select an available domain functional level, do one of the following:

• Raise the domain functional level by selecting Windows Server 2003and clicking Raise.

• Raise the domain functional level by selecting Windows Server“Longhorn” and clicking Raise.

5. Click OK.

A warning is displayed stating that the domain mode change can take upto 15 minutes.

You can also raise the domain functional level by right-clicking a domain inthe Active Directory Users and Computers snap-in, and then clicking RaiseDomain Functional Level. The current domain functional level is displayedunder a like-named entry in the Raise Domain Functional Level dialog box.

You also need to check all other domain controllers in the domain. Make sureeach domain lists the correct mode on its properties dialog box. (Right-clickthe domain and select Properties.) If any domain controller isn’t reflectingthe change after 15 to 20 minutes, reboot it. This forces a replication.

If a domain controller can’t be contacted when you make the change (forexample, if it’s located at a remote site and connects to the main site onlyperiodically), the remote domain controller will switch its mode the next timereplication occurs.

Figure 7-3:The Raise

DomainFunctional

Leveldialog box.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 132

When Domains MultiplyIn this section, you look at new methods available in Windows Server 2008 tointerconnect domains. In Windows NT 4.0 domains, you’re limited to simpleunidirectional or bidirectional trust relationships to interconnect two domainsexplicitly at a time. Windows Server 2008 has many more sophisticated, func-tional models to create relationships and connections among its domains.

Trust relationships across domainsWindows NT 4.0 trust relationships aren’t transitive. For example, if domain Atrusts domain B, and domain C trusts domain B, domain C doesn’t automati-cally trust domain A. (See Figure 7-4.)

This lack of transitivity is no longer the case with the trust relationships used to connect members of a tree or forest in Windows Server 2008/2003 orWindows 2000. Trust relationships used in a Windows Server 2008/2003 or2000 tree are two-way, transitive trusts. This means that any domain in theforest implicitly trusts every other domain in its tree and forest. Thisremoves the need for time-consuming administration of individual trusts

Domain B

Domain C

Domain A

This relationship would nothave been implicitly createdin a 4.0 domain environment

but is possible in 2000domain forests

Figure 7-4:An example

of a trustrelationshipin Windows

NT 4.0.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 133

between pairs of domains because such trusts are created automaticallywhenever a new domain joins a tree.

The security of Windows Server 2008 trusts is maintained by Kerberos.Kerberos Version 5.0 is the primary security protocol for Windows Server2008, but it isn’t a Microsoft protocol. Kerberos is a security system devel-oped at the Massachusetts Institute of Technology (MIT). It verifies both theidentity of the user and the integrity of all session data while that user islogged in. Kerberos services are installed on each domain controller, and aKerberos client is installed on each workstation and server. A user’s initialKerberos authentication provides that user with a single logon to enterpriseresources. For more information about Kerberos, see the Internet EngineeringTask Force’s (IETF’s) Requests for Comments (RFCs) 1510 and 1964. Thesedocuments are available on the Web at http://rfc-editor.org.

Building treesIn Windows Server 2008, one domain may be a child of another domain. Forexample, www.legal.savilltech.com is a child of savilltech.com(which is the root domain name and therefore the name of the tree). A childdomain always contains the complete domain name of the parent. As shownin Figure 7-5, dev.savillCORP.com can’t be a child of savilltech.combecause those domain names don’t match. A child domain and its parentshare a two-way, transitive trust.

When a domain is the child of another domain, a domain tree is formed. Adomain tree must have a contiguous namespace (which means all namespacesshare a common root — that is, have the same parent).

Domain trees can be created only during the server-to-domain-controller-promotion process with DCPROMO.EXE.

Here are some advantages to placing domains in a tree:

� All members of a tree enjoy Kerberos transitive trusts with their parentand all of its children.

� These transitive trusts mean that any user or group in a domain tree canbe granted access to any object in the entire tree.

� A single network logon can be used at any workstation in the domain tree.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 134

Understanding forestsYou may have a number of separate domain trees in your organization withwhich you’d like to share resources. You can share resources betweendomain trees by joining those trees to form a forest.

A forest is a collection of trees that doesn’t explicitly share a single, contigu-ous namespace. (However, each tree must be contiguous.) Creating a forestmay be useful if your company has multiple root DNS addresses.

For example, in Figure 7-6, the two root domains are joined via transitive,two-way Kerberos trusts (like the trust created between a child and itsparent). Forests always contain the entire domain tree of each domain, andyou can’t create a forest that contains only parts of a domain tree.

savilltech.com

legal.savilltech.com dev.savillCORP.com

Child domainsMUST contain theparent DNS name

defense.legal.savilltech.com

Figure 7-5:Parent/childrelationship

example.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 135

Forests are created when the first server-to-domain-controller-promotionprocess using DCPROMO is initialized and can’t currently be created at anyother time.

You aren’t limited to only two domain trees in a forest. (You can have as fewas one because a single domain by itself is technically considered both a treeand a forest.) You can add as many trees as you want, and all domains in theforest will be able to grant access to objects for any user in the forest. Again,this cuts back the need to manage trust relationships manually. The advan-tages of creating forests are as follows:

� All trees have a common global catalog containing specific informationabout every object in the forest.

� The trees all contain a common schema. Microsoft has not yet con-firmed what will happen if two trees have different schemas beforethey’re joined. We assume that the changes will be merged.

� Searches in a forest perform deep searches of the entire tree of thedomain from which the request is initiated and use the global catalogentries for the rest of the forest.

savilltech.com acme.com

defense.legal.savilltech.com

legal.savilltech.com dev.savilltech.com legal.acme.com

Figure 7-6:An example

of a forest.


12_180433 ch07.qxp 2/25/08 7:46 PM Page 136

Chapter 8

Working with Active Directory,Domains, and Trusts

In This Chapter� Understanding domains

� Controlling domains and directories

� Handling directory permissions

� Managing trusts

Access to Active Directory’s sheer power is useless unless you can con-figure and manage its content. Only then can you get the most out of its

powerful (but sometimes cryptic) environment. In this chapter, you take along hard look at Active Directory. Before you enter into this staring contestwith your computer screen, however, we want to show you how manipulatingand configuring content is tied to manipulating and configuring domains.That’s right; you get to tackle domains one more time. So once more into thebreach, dear friend, so that you too can master your own domain(s).

For details on domain controllers and their changing roles in Windows 2008,see Chapter 7. We also suggest you pick up a copy of Active Directory ForDummies (Wiley Publishing).

Master of Your DomainDomain controller roles aren’t defined during the installation of WindowsServer 2008 but rather while running the Active Directory Installation Wizard.(For more information about the Active Directory Installation Wizard, seeChapter 7.) Windows Server 2008 borrows the concept of a primary domaincontroller (PDC) from Windows NT through the use of the PDC emulator forcertain domain functions, though it has jettisoned Windows NT’s concept of a

13_180433 ch08.qxp 2/25/08 7:46 PM Page 137

backup domain controller (BDC). In Windows 2008, all domain controllers areequal and share peer-to-peer relationships, rather than acting either asmaster (PDC) or slave (BDC).

To support older Windows NT Server 4.0 and 3.51 BDCs in a mixed modeenvironment, one of the Windows Server 2008 domain controllers must emulate a Windows NT Server 4.0 PDC. Then it must replicate changes tothose old-fashioned BDCs so that they can keep up with changes to ActiveDirectory, such as password modifications.

Keeping lots of peers around can cause problems if you don’t watch out.(Ever hear the expression, “Too many cooks spoil the soup”?) WindowsServer 2008 uses five special roles to keep peers in line. One role is specifi-cally designed to support any Windows NT vintage clients and domain con-trollers. The other four roles work to minimize the risk that multiple domaincontrollers will make changes to the same object, thereby losing or confusingattribute modifications.

These roles are called Flexible Single Master Operation (FSMO) roles, whereeach of the five roles manages a particular aspect of a domain or forest. Some of the Flexible Single Master Operation domain controllers, sometimesreferred to as operations masters, have a role that is domain wide, so theireffect percolates throughout the given domain. When a forest has multipledomains, each domain has a domain-wide FSMO domain controller. OtherFSMO domain controllers have a forest-wide role. Each forest-wide FSMOdomain controller is the only one of its type in the entire forest, regardless of how many domains reside within that forest.

The flexibility of the Flexible Single Master of Operation domain controllersindicates that these roles can move between domain controllers within adomain if the role of the original FSMO DC is domain wide, or between otherdomain controllers in the forest if the role of the original FSMO DC is forestwide. However, it does take some effort on your part to move them.

You assign FSMO roles using the NTDSUTIL utility. For more information onthe NTDSUTIL utility, see the Windows Server 2008 Server Help files or theResource Kit.

The following list gives you an idea how these five roles work with domains inActive Directory:

� Schema master: At the heart of Active Directory, the schema is a blue-print for all objects and containers. Because the schema has to be thesame throughout an entire forest, only one domain controller can beused to make modifications to the schema. If the domain controller that


13_180433 ch08.qxp 2/25/08 7:46 PM Page 138

holds the role of schema master can’t be reached, no updates to theActive Directory schema may be performed. You must be a member ofthe schema administrators group to make changes to the schema. (SeeChapter 7 for a more detailed definition of the schema.)

� Domain naming master: To add a domain to a forest, its name must beverifiably unique. The domain naming master of the forest oversees thedomain name operation and ensures that only verifiably unique namesare assigned. It also functions to add and remove any cross-references todomains in external directories, such as external Lightweight DirectoryAccess Protocol (LDAP) directories. Only one domain naming masterexists per forest. You must be a member of the enterprise administratorsgroup to make changes to the domain naming master, such as transfer-ring the FSMO role or adding domains to or removing domains from aforest.

� Relative ID (RID) master: Any domain controller can create new objects(such as user, group, and computer accounts). The domain controllercontacts the RID master when fewer than 100 RIDs are left. This meansthat the RID master can be unavailable for short periods of time withoutcausing object-creation problems. This ensures that each object has aunique RID. There can be only one RID master per domain.

� PDC emulator: The PDC emulator domain controller acts as a WindowsNT primary domain controller when there is a domain environment thatcontains both NT4 BDCs and Windows 2000 DCs or Windows 2003/2008DCs (or all three). It processes all NT4 password changes from clientsand replicates domain updates to the down-level BDCs. After upgradesto the domain controllers have been performed and the last of the BDCsare upgraded or removed from the environment, the Windows 2000domain or Windows Server 2003/2008 domain (or all three) can beswitched to native mode. After the domain is in native mode, the PDCemulator still performs certain duties that no other DCs in the domainhandle.

Each domain in the forest, including child domains, has only one PDCemulator domain controller.

� Infrastructure master: When a user and a group are in differentdomains, there can be a lag between changes to a user profile (a user-name, for example) and its display in the group. The infrastructuremaster of the group’s domain is responsible for fixing the group-to-userreference to reflect the rename. The infrastructure master performs itsfix-ups locally and relies on replication to bring all other replicas up todate. (For more information on replication, see the “When replicationhappens” section, later in this chapter.)

139Chapter 8: Working with Active Directory, Domains, and Trusts

13_180433 ch08.qxp 2/25/08 7:46 PM Page 139

Trusts Are Good for NT 4.0 and Active Directory Domains

In the good old days before the need for FSMO roles (that is, during WindowsNT’s prime), there was exactly one main domain controller (a primarydomain controller, or PDC) that could make changes to the Security AccountsManager (SAM) database. Those changes were then replicated to otherbackup domain controllers (BDCs). In this model, the SAM database wassimply a file stored on each PDC that contained information about thedomain’s security objects, such as users and groups. To support authentica-tion across domains (and thus stymie unauthorized access to the network),you created one-way trust relationships between domains that would allowusers and groups from the trusted domain to be assigned access to resourcesin the trusting domain.

The concept of trusting and trusted is confusing, so we’re going to try toshed some light on the subject. Imagine a trust between two domains: A andB. Domain A trusts domain B, so domain B is the trusted domain, and domainA is the trusting domain. Because domain A trusts domain B to correctlyauthenticate its users, users from domain B can be assigned access toresources in domain A. (You could create a bidirectional trust relationship,where domain A trusts domain B with its resources and domain B trustsdomain A with its resources. However, what you really have with a bidirec-tional trust is two unidirectional trusts that have been joined.) Before you getthe idea that we’re all one happy, trusting family, don’t forget that WindowsNT 4.0–based trusts aren’t transitive; therefore, if domain C trusts domain B,and domain B trusts domain A, domain C doesn’t implicitly trust domain A.For domain A to trust domain C, you must establish an explicit trust relation-ship between domain A and domain C. Got all that? Remember it; we’ll comeback to it later.

Windows Server 2008 makes use of Active Directory to keep domains in linewhen it comes to trust relationships. Windows Server 2008 domain con-trollers store the directory service information in a file (NTDS.DIT), andtrust relationships are still needed to authenticate across multiple domains.Windows Server 2008 automatically creates trust relationships between alldomains in a forest just as it did under Windows 2000, but the real changefrom the older NT4 model to the Active Directory approach lies in how modi-fications are made and replicated to the domain database and how all auto-matically created trusts are two way and transitive by default. Now if A trustsB and B trusts C, A trusts C — and the reverse is true as well.

Before you get too flabbergasted, don’t forget that Windows 2000 andWindows Server 2003/2008 use trusts in the same way. All operating systemscreate two-way and transitive trusts.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 140

How Domain Controllers Work TogetherIn the days of Windows NT, domains had it easy. You made changes at onlyone domain controller, and the changes were copied at regular intervals toany other controllers for the domain.

Now, with Windows Server 2008, you can make changes at any domain con-troller and remain confident that Windows Server 2008’s left hand alwaysknows what its right hand is doing. How does this work, you ask? The answer,dear friend, is multimaster replication. (And you thought we were going tosay “blowing in the wind.”) How multimaster replication works is discussedin Chapter 7, but here you look at the concept at a higher level.

With multimaster replication, any domain controller can make changes to theActive Directory database. Those changes are then replicated to all otherdomain controllers in that domain.

When replication happensReplication between domain controllers in a Windows NT 4.0 domain is con-figured using a couple of Registry settings. That’s it. Fairly useless really.Windows Server 2008 is much cooler!

A site is a collection of machines and domain controllers connected by meansof a fast network and grouped by IP subnets. What do sites have to do withreplication, you ask? Well, everything. They allow us to define different repli-cation schedules depending on the domain controllers’ site membership.

There are essentially two types of replication: intrasite replication (betweendomain controllers in the same site) and intersite replication (betweendomain controllers in different sites).

Intrasite replicationWhen a change is made to the Active Directory, such as adding or deleting a user or changing an attribute of an object (say, adding properties to aprinter), this change must be replicated to other domain controllers in thedomain. The change is called an originating update. The domain controllerwhere the originating update was made sends a notification to its replicationpartners (other domain controllers in the site) that a change is available.After replication occurs, the replication partners will have a copy of thechange that was made on the other domain controller. This updating of theActive Directory on the partner domain controller is called a replicatedupdate because it originated elsewhere.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 141

Replication is initiated between domain controllers at a defined regular inter-val (five minutes, by default), and urgent replication using notification can beinitiated for any of the following:

� Replication of a newly locked-out account: Prevents users from movingto another part of a domain to log on with a user account that has beenlocked out on a domain controller.

� Modification of a trust account: Enables all members of a domain totake advantage of a new trust with another domain.

This replication methodology has some problems. In the good ol’ days (in other words, with Windows NT 4.0), you changed your password at thePDC to avoid the problem of a new setting not being replicated for a longtime. With Windows 2008, password changes are initially changed at the PDCFSMO; in the event of password failure, the PDC FSMO is consulted in casethe password has been recently changed but hasn’t yet been replicated.

If replication partners don’t receive any change notifications in an hour (the default setting), they initiate contact with their replication partners tosee whether any updates were made remotely and whether the subsequentchange notifications were missed.

Intersite replicationIntersite replication takes place between particular servers in one site to particular servers in another site. This is where Windows Server 2008 shines.You can configure a timetable of how often to replicate for every hour ofevery day. All you need to do is follow these steps:

1. Navigate to the Active Directory Sites and Services MMC snap-in.(Choose Start➪Control Panel➪Administrative Tools➪Active DirectorySites and Services.)

2. Go to the Inter-Site Transport branch and select IP.

3. In the right-hand pane, select a site link (for example, a remotedomain), right-click, and choose Properties.

4. Make sure that the General tab is selected and then click ChangeSchedule.

The dialog box used to change replication times appears, as shown inFigure 8-1.

5. Change the replication schedule as desired.

For example, you can set it to replicate only on Sundays from 6 p.m. to 7 p.m.

You can have different replication schedules for every pair of sites, sodepending on the network connectivity and geographical location, different


13_180433 ch08.qxp 2/25/08 7:46 PM Page 142

schedules may be appropriate. For example, if a slow WAN link existsbetween two sites, a replication with less frequent updates may be necessaryto prevent bandwidth consumption.

One other area of replication crosses domains: global catalog information.The global catalog contains all the information about all the objects in itsown domain and a subset of information for every object in the forest.However, Windows Server 2008 performs all the calculations needed to opti-mize this replication, so mere mortals like us don’t need to worry about it.

Know your database limitsIn Windows 2008, there’s really no limit to the number of objects per domain —your organization will never get that big! Windows NT 4.0 domains are limitedto around 40,000 objects per domain. This forces some companies to acquiremultiple master domains joined by bidirectional trust relationships.

Windows 2008, on the other hand, extends this to around 10,000,000 objectsper domain. HP has performed tests and created 16,000,000 user objects in asingle domain with no significant performance problems. However, it hadsome very powerful hardware — probably much more powerful than yourhome PC or even your company’s primary server!

These objects have to be replicated at some point. Windows Server 2008 usesproperty rather than object replication, which means that only the propertychange is replicated, not the entire object. In other words, if you change justone property of an object (a user’s phone number, for example), only theproperty change (the new phone number) is replicated.

Your database size is governed by your domain controller hardware and thephysical network infrastructure. But if you have enough money to invest inthe proper hardware, we doubt that you would need more than a single

Figure 8-1:This is

where youchange

replicationtimes.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 143

domain (unless your company is really big). There are, however, other rea-sons for needing multiple domains and forests, such as needing differentschemas. (See Chapter 7 for more on schemas.)

The backup and restoration needs of your enterprise may govern database sizebecause a huge directory database is no good if it takes days to back it up.

Administrivia Anyone? (ControllingDomains and Directories)

If you don’t have sufficient tools available to manipulate and manage ActiveDirectory, its power won’t do you much good. Fortunately, not only doesWindows Server 2008 come with a complete set of ready-made tools, but youcan also write your own tools and scripts using the Active Directory ScriptingInterface (ADSI).

Exploring the directory management consoleAs with everything else in Windows 2008, management of Active Directory isaccomplished using a Microsoft Management Console (MMC) snap-in. Thesnap-in you’ll use most often is the Active Directory Users and Computerssnap-in (shown in Figure 8-2), which is what you use to create, manage, anddelete everything from users to computers. It includes some of the featuresof the old User and Server Manager from Windows NT.

Figure 8-2:The Active

DirectoryUsers and

ComputersMMC

snap-in.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 144

To access the Active Directory Users and Computers snap-in, chooseStart➪Administrative Tools➪Active Directory Users and Computers. Whenyou first start the snap-in, you see your domain name (represented as a DNSdomain name) at the top of the directory. You’ll also notice several contain-ers (known more commonly as folders). Some of these containers are built-inorganizational units (OUs), which contain objects in a domain that are orga-nized into logical containers, thus allowing finer segregation and control in adomain. Certain container objects appear in all typical Active Directoryinstallations:

� Built-in: By default, the details of the old Windows NT 4.0 groups, suchas Administrators and Backup Operators.

� Computers: The computer accounts that were managed using WindowsNT’s Server Manager. Computer objects in other organizational unitsaren’t listed in this container.

� Domain controllers: A built-in organizational unit that contains alldomain controllers.

� Users: The default store for all domain users. Again, users in other orga-nizational units aren’t listed.

In a fully functional domain, you’ll find various organizational units, dependingon the services you have installed and the organizational units you create.

Everything is context driven in Windows Server 2008. This means that if youright-click an object or container, a menu specific to that object or containeris displayed. This is much better than hunting through huge standard menusfor options relevant to the chosen object.

Creating directory objectsWindows Server 2008 has tons of objects, such as computer, user, group, andshared folder objects. In this section, we concentrate on the creation of onlythe first two (computer and user objects) because the others are fairly intu-itive and don’t support many configuration options.

In a Windows NT 4.0 domain, it never took too much planning to create newuser or computer objects. You just did it. In Windows Server 2008, however,you can’t be quite so spontaneous. You first need to think about where youwant to create such an object. Placement is important because, although youcan still move objects around, it’s much easier in the long run if you create anobject in the correct location from the get-go. However, because you may notalways have the time to plan and do it right the first time, you can alwaysmove the object later if you have to. (Just don’t say we didn’t warn you.)


13_180433 ch08.qxp 2/25/08 7:46 PM Page 145

Use OUs to help you organize your data into logical containers. First youcreate an OU for the various departments in your organization (for example,one for accounting, one for engineering, one for personnel, and so on). Thenyou can put all user and computer objects in a particular department in itsOU. In addition, you can lighten your administrative load by assigning aperson in each department the rights necessary to manage his or her OU and that OU only. Pretty nifty, huh?

You can create a user object in one of two places: in the default User/Computer container or in some organizational unit they or someone else hasalready created. If you delegate the ability to create objects, you can set it upso that the delegated users can create objects in only one location, or certainselected locations.

To create a user object, perform the following steps:

1. Start Active Directory Users and Computers. (Choose Start➪ControlPanel➪Administrative Tools➪Active Directory Users and Computers.)

2. In the Active Directory Users and Computers console tree, right-clickthe container (such as Users) in which you want to create the userobject, point to New, and click User.

The first page of the User Creation Wizard (the New Object – User dialog box) is displayed, as shown in Figure 8-3.

For interoperability with other directory services, you can clickInetOrgPerson instead of the user object type, which is nearly identical.You can find information regarding InetOrgPerson in the “Understandinguser accounts” article in the Windows Help files.

Figure 8-3:The first

page of theUser

CreationWizard.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 146

3. Type the user’s first and last name, initials, and a logon name, andthen click Next.

The next page of the Wizard allows you to set the new password and thefollowing options:

• User Must Change Password at Next Logon

• User Cannot Change Password

• Password Never Expires

• Account Is Disabled

4. In the Password and Confirm Password text boxes, type the user’spassword and select the appropriate password options.

5. Click Finish.

That’s it; you’ve created a new user. You’re probably thinking, “What about all the other user attributes, such as security features?” Well, you no longerdefine those settings during the creation of the user. After you create the userobject, you right-click it and select Properties. The Properties dialog box forthe user appears.

Each tab pertains to various aspects of the selected user object. These tabsvary depending on the Windows Server 2008 subsystems in use, on otherback office applications such as Exchange Server or SQL Server, and even onwhat third-party software you might have installed.

Computer account creation is much simpler and doesn’t bombard you withquite so many tabs. Again, in Active Directory Users and Computers, right-click the container in which you want to create the new computer object(such as computers), and choose New➪Computer. The New Object –Computer dialog box appears, as shown in Figure 8-4. You have to only type a computer name and select who can add the computer to the domain.

Figure 8-4:We’re

creating a new

computerobject

namedFriedBanana

Sandwich.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 147

Finding directory objectsFinding objects is one of Active Directory’s greatest pluses. Using the globalcatalog, you can find an object anywhere in an enterprise forest by queryingActive Directory.

You can search for anything — a user, a computer, even a printer — and youcan search for many attributes. (The attributes presented vary depending onthe type of object you’re searching for.) For example, you can ask ActiveDirectory to find the closest color-capable, double-sided printer at your site.You don’t even have to tell Active Directory where you are. It figures that outautomatically.

On a Windows Server 2008 system, there’s a Search component that you canaccess from the Start menu. (Choose Start➪Search.) Under this menu, youcan use a number of options to search for users, folders, and printers. Theavailable options are as follows:

� For Files or Folders

� On the Internet

� Find Printers

� For People

For example, if you want to search for a color printer, choose Start➪Search➪Find Printers. There are three available tabs: Printers, Features, andAdvanced. You want to choose the Advanced tab because it allows you tospecify that you’re searching for a color printer. After you enter all yourdetails, click Find Now, and your results appear. In a large enterprise, manylistings that meet your requirements may appear, so always try to be as spe-cific and detailed as possible when performing a search.

A word on ADSIActive Directory Scripting Interface (ADSI for short) allows you to manipulatethe directory service from a script. You can use Java, Visual Basic, C, or C++scripts. With ADSI, you can write scripts that automatically create users,including their setup scripts, profiles, and details.

If you need to manage a medium or large domain, you should learn ADSI. Inthe long run, it’ll save you a great deal of time and aggravation.

Search the Microsoft Web site at www.microsoft.com/windows for ADSI,and you’ll find loads of great information (more than you’d want!). Also checkthe Windows Server 2008 Resource Kit for details.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 148

Permission to Proceed? HandlingDirectory Permissions

An old concept says, “You’re the administrator; administrate no longer.” Andit does have some truth to it in Windows Server 2008. Although some tasksstill require a full-fledged domain administrator, the common management of a domain may be more easily accomplished when you grant different setsof user permissions to manage different sets of users and user properties. In English, this means you can delegate the responsibility for managing low-level users to slightly higher-level users, and so on, until you, as the adminis-trator, need to get involved only to manage more weighty constructs, such asdomain forests and trees or intrasite access.

About Active Directory permissionsIf you’re familiar with the Windows NT security model, you probably know all about Access Control Lists (ACLs). ACLs allow a set of permissions to beapplied to a file, directory, share, or printer (and more), thus controllingwhich users can access and modify these particular objects.

Windows Server 2008 takes this to the next level by assigning an ACL toevery single attribute of every single object. This means you can control user access to such a fine degree that you can micromanage your users intothe nearest insane asylum. You could insist, for example, that “User groupPersonnel Admin may change the address, phone number, and e-mail attrib-utes of all users but nothing else.”

Assigning permissionsYou can assign permissions to Active Directory objects in various ways. Here,we present an extreme case, so everything else looks like a piece of cake!

Remember Active Directory Users and Computers? Well, earlier in this chap-ter, in “Exploring the directory management console,” you saw a nice, basicview of this utility. However, it has other options that are shown only whenit’s in Advanced Features mode. To turn on Advanced Features, start ActiveDirectory Users and Computers (choose Start➪Administrative Tools➪Active Directory Users and Computers) and then choose View➪AdvancedFeatures.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 149

Some new branches are added to the basic domain root: LostAndFound andSystem. We don’t care about that, though. Instead, we’re interested in thenew tab added to the objects — the Security tab.

In Active Directory Users and Computers, find a user, any user. Right-click theuser and then select Properties. In the user’s Properties dialog box, click theSecurity tab, and then click the Advanced button. The Permissions tab forthe Advanced Security Settings dialog box appears, as shown in Figure 8-5.You see a list of permission entries that includes a type (Allow/Deny), a useror group, and the permission and its scope.

Obviously, assigning permissions explicitly to every object takes forever.Thankfully, Active Directory uses an inheritance model so that you need tomake changes only at the root; the changes propagate down from there. Thefollowing section spells out how this works.

Permissions inheritanceThere are two types of permissions: explicit and inherited. Explicit permis-sions are assigned directly to an object, and inherited permissions are propa-gated to an object from its parent (and so on). By default, any object in acontainer inherits permissions from its container.

Figure 8-5:The

AdvancedSecuritySettings

dialog boxfor an object

used tocontrol user

access.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 150

Sometimes, you don’t want permissions to be inherited — for example,you’re working with a directory structure in which different permissions are defined on each contained object, such as with a multiuser File TransferProtocol (FTP) site or a shared folder that contains user home directories.The default setting in Active Directory specifies that permissions are inher-ited, but you can change this default behavior.

Remember the Advanced Features view for Active Directory Users andComputers? Well, you need it again. When you turn on the Advanced Featuresfrom the View menu and check out the advanced security properties of auser (right-click the user, choose Properties, click the Security tab, and thenclick the Advanced button), notice the Include Inheritable Permissions fromThis Object’s Parent check box, which is selected by default. If you deselectit, any changes made to the parent container no longer propagate to theobjects it contains. You disable inheritance for the object.

If you do disable inheritance, you’re given the following options:

� Copy Previously Inherited Permissions to This Object

� Remove Inherited Permissions

� Cancel (Disable) the Inheritance

Of course, you can enable inheritance later if you want. It’s not a one-wayoperation, so don’t panic!

Delegating administrative controlDelegating administration over certain elements of your domain is one of the great things about Active Directory — no more administrator or non-administrator. Different people or groups can be delegated control over cer-tain aspects of a domain’s organizational unit. The following steps can beemployed to delegate administration on objects:

1. Open Active Directory Users and Computers. (Choose Start➪ControlPanel➪Administrative Tools➪Active Directory Users and Computers.)

Another way of accessing Active Directory Users and Computers is toclick Start and type dsa.msc into the Start Search bar.

2. In the console tree, right-click the organizational unit (OU) for whichyou want to delegate control.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 151

3. Click Delegate Control to start the Delegation of Control Wizard.

This is accomplished by clicking the Add button to access the ActiveDirectory search tool to locate users and groups. Make your selections.(Hold down Ctrl to select multiple users at the same time.)

The users are now displayed in the selected user’s area. The peopleyou’ve selected are the ones who can perform the tasks you’re about tochoose.

4. Click Next.

A list of common tasks is displayed for which you can delegate control(reset passwords and modify group membership, for example).

5. Make your selections and then click Next. If you choose to create acustom task to delegate, follow the steps presented by the wizard.

A summary screen is displayed (as shown in Figure 8-6), giving you theoption to change your mind.

6. When you’re happy with the changes you’ve made, click Finish.

That’s it; a few mouse clicks and you’ve delegated control of a container to aspecific person or groups of people.

Managing TrustsIn Windows NT 4.0, trust management was a big problem in a large enter-prise. In Windows Server 2008, however, trust management is simple becauseall trusts are set up by default between all domains in a forest, and thesetrusts are two-way transitive trust relationships.

Figure 8-6:The

summaryscreen

of theDelegation

of Controlwizard.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 152

Two-way transitive trusts are created automatically between all domains in a forest when you run DCPROMO. You can, however, still create the old-styleWindows NT 4 trusts for any domains that aren’t part of the same enterpriseforest.

Establishing trustsYou can create old-style trusts by following these steps:

1. Open Active Directory Domains and Trusts by choosing Start➪Control Panel➪Administrative Tools➪Active Directory Domains and Trusts.

2. Right-click the domain of choice in the Active Directory Domains and Trusts interface and then choose Properties.

3. Click the Trusts tab (see Figure 8-7) to create one-way trusts.

One-way external trusts aren’t transitive and work the same as the oldWindows NT 4.0 trusts.

You can delete a trust by selecting the trust and choosing Remove.

Figure 8-7:This is

where youcreate one-

way trustsbetweendomains.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 153

If you open the door to trusts, who gets to come through?In a forest, when you open the trust door (which happens automaticallybetween all domains in the same forest), anyone gets to come in. All trustsare transitive, so anyone in any domain in the forest can be granted permis-sion to any resource.

For old-style trust relationships (which are created manually betweendomains in different forests or in a Windows NT domain), the trust isn’t transitive. Only users in the two domains for which the trust is defined canbe assigned access to resources and only in the direction of the trust.

There’s no need to panic, though, because users can’t access resources with-out permission. Therefore, although they can be given access, they won’t beable to gain access until specifically given permission to do so.


13_180433 ch08.qxp 2/25/08 7:46 PM Page 154

Chapter 9

Printing on the NetworkIn This Chapter� Printing the Windows Server 2008 way

� Installing the server side first

� Sharing print device access

� Setting up print devices on the client side

� Managing Windows Server 2008–based print devices

� Preventing print device problems

� Introducing Windows Fax and Scan

Next to not being able to access network resources, nothing freaks outusers more than not being able to print their work. We bet you can’t

find a network administrator who can say that he or she hasn’t struggledwith print devices at one time or another. (If you’ve seen the movie OfficeSpace, you can imagine the kind of frustration we’re talking about.)

Windows Server 2008 includes a new printer architecture that provides abetter print-server platform with improved performance and a strong founda-tion for future application development. It simultaneously maintains compati-bility with existing print applications and drivers and enables them to usefeatures found only in the newer XPSDrv printer drivers, which are built upona modular design that enables more efficient print queue operation.

In addition to TS Easy Print capabilities, Windows Server 2008 integrates theXML Paper Specification (XPS) throughout to provide efficient, compatible,and high-quality document delivery to the entire print subsystem. The XPSdocument format is based on fixed-layout technology and, along with OpenPackaging Conventions (OPC), defines a new format and specification builton industry standards like XML and ZIP.

In this chapter, you discover the specifics for setting up print devices on yournetwork and avoiding common printing problems.

14_180433 ch09.qxp 2/25/08 7:47 PM Page 155

Throughout this chapter, we use the Microsoft terminology print device andprinter, which may be confusing in the real world. Microsoft defines a printdevice as the physical printer, such as an HP LaserJet 2605, and a printer asthe software on the server where you configure settings for the physical printdevice. We use Microsoft’s terms in this chapter to be technically accurate.However, this terminology may be confusing if this is your first time workingwith Windows Server 2008.

Windows 2008 Has a Print ModelWhen a user prints, the print data follows a particular path from the user tothe print device. One such example is the new XPS print path, which uses theXPS document format throughout the entire print path, from application toprinter, and creates the possibility for true WYSIWYG output.

In Windows Server 2008, the basic pieces of this print scheme are as follows:

� Print users: Print users are the people who want to send print jobs to aprint device on the network, on the Internet, or attached to their PC. Toactually print, users must have a print device driver (called a print driverin non-Microsoftspeak) installed on their PC.

� Graphics Device Interface (GDI): The already expanded GDI is a soft-ware program that finds the appropriate print device driver and workswith the driver to render print information into an appropriate printerlanguage. After the information is rendered, the GDI sends it to theclient-side spooler. (A Windows client application would call the GDI theprint process.)

� Print device driver: This software piece is provided by either the manu-facturer (for the latest version) or by Microsoft (not always the latest)and corresponds directly to a particular print device make and model.It’s the interface between the software application and the print device,which is called a print driver in non-Microsoftspeak. You may also hear it referred to as a printer driver. The print device driver need not beinstalled on the client. Instead, if the client is a Windows 98, SE, ME, NT,2000, or XP system, it can download the print device driver from theprint server when it wants to print a document. However, this doesrequire that the print server be configured to host print device driversfor these operating systems.

� Printers: This is also called a logical printer, and it isn’t the physicalpiece of machinery you sometimes want to kick, but rather the bundle ofsettings you need to make a print device run. It exists as software on theserver that you use to configure settings for print job processing androuting for the physical print device.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 156

� Print jobs: Print jobs are files you want to print. Print jobs are formattedat the workstation by the GDI and a print device driver and submittedfor output on a local or networked print device. If the print device islocal (attached to the PC), the output is printed right there and then. If a network print device and print server are involved, the output is sent(spooled) to a queue on the print server until a print device is availableto service the request.

� Print servers: Print servers are computers that manage network printdevices attached to them. A print server can be any computer locatedon a network (or the Internet) that has a print device attached and runssome Microsoft operating system, such as Windows 2000/2003/2008, NT,or 9x. (Even a user workstation can function as a print server — but wedon’t like this approach because it typically brings too much traffic tosome user’s PC.) When a user submits a print job, the print server storesthe job in a queue for the print device and then polls the print device tocheck for its availability. If the print device is available, the print serverpulls the next job out of the queue and sends it to the print device.

Any network administrator or user with appropriate access rights canmanage print servers from anywhere on the network. By default, inWindows 2008, all members of the Everyone group can print to a device,but only those members specifically given rights can manage the device.

� Print queues: A print queue is a location on the hard disk where spooledfiles wait in line for their turn to print. Each print device has at least onecorresponding print queue (although additional queues are possible). As users submit print jobs, those jobs go into the queue to wait for theirturn. You define a queue for a print device when you add a printer to the Printers and Faxes folder and assign it a name. Print jobs enter thequeues on a first-come, first-serve basis.

Only someone with appropriate access rights to manage queues (admin-istrators, print operators, and server operators) can alter print order ina print queue. You can assign users on your network permission tomanage print queues for you. Windows 2008 includes a built-in usergroup called Print Operators, and you can add users to this group togive them the proper access rights for the task by choosing Start➪Administrative Tools➪Active Directory Users and Computers, selectinga domain, and opening the Built-in folder.

Giving some users print-queue management rights rather than others maybe seen as playing politics if you don’t exercise great caution in makingsuch assignments. Some folks may accuse others of playing favoriteswhen print jobs are rearranged in the queue. We’ve seen this happen a lot.If you choose people who are neutral, your life will be easier!

� Print devices: Print devices are physical devices or physical printers,such as HP laser printers. Print devices can be attached locally to aworkstation or server or directly to the network. In the real (non-Microsoft) world, this is what we normal people call a printer!

157Chapter 9: Printing on the Network

14_180433 ch09.qxp 2/25/08 7:47 PM Page 157

Physical print devicesWe call print devices physical print devices because you can walk up to thesedevices and touch them. Print devices come in different categories, includinglaser, plotter, inkjet, and bubble jet. You can attach a physical print devicelocally to a PC, server, or print server, or directly to the network (as shown inFigure 9-1).

A print server is just a network-attached PC that services print jobs — so,technically, we could lump PCs and print servers in the same category. Welist them separately in this case because we want to distinguish between a PCwhere a user does work and a dedicated print server located on the network.

Logical assignmentsA logical printer assignment isn’t a print device — it exists intangibly, in theform of a Windows Server 2008 definition. It’s sort of like a name thatWindows 2008 uses to identify a physical print device (or a group of physicalprint devices, as you see later in this section). Each time you define a printdevice and its properties in Windows 2008, the operating system assigns alogical printer definition to the physical print device so that it knows towhich physical print device you want to send your jobs.

When you first install a print device, a one-to-one correlation exists betweenthe physical print device and the logical definition. You can expand the use oflogical printer assignments, however, so that one logical printer assignmentserves as the definition for several physical print devices. This use is knownas print device pooling, and you set it up through print device properties byadding ports to the print device’s definition.

You don’t need to be too concerned about defining logical printers unlessyou intend to pool print devices. Pooling happens whenever you attach aprint device to the server (as explained later in the “Attaching print devicesto servers” section). Just understand that Windows 2008 correlates a logicalprinter definition to one or more physical print devices attached to your network.

For example, you’re likely to have several print devices connected to yournetwork, and all or many of them may be the same type, such as HPLJ2605. Ifyou don’t define a logical printer for Windows 2008, how does it know towhich HPLJ2605 print device to send your jobs? You could end up running allaround the building looking for your expense report! Defining a logical printerdefinition keeps order in your world. You could name one logical printer


14_180433 ch09.qxp 2/25/08 7:47 PM Page 158

2FLWest and you’d know that your report is sent to the HPLJ2605 on thesecond floor of the west wing of your building. (The mechanics involved are covered in the next section, “Installing on the Server’s Side.”)

Another bit of magic that logical assignments can help you with is balancingprint jobs. Suppose that you have three physical laser print devices (A, B,and C) located on your network in close proximity. If a user chooses to send a print job to print device A, which is printing a large print job, a lot of timeand resources are wasted if print devices B and C sit idle at the same time.

You can help your users by setting up one logical printer definition andassigning it several different physical print devices to which to print.Therefore, your users print to the logical printer, which then figures outwhich physical print device is available. This takes decision-making and worrying away from users and transfers it to the operating system. The onlycaveat here is avoiding too much physical distance between print devices.Try to make sure that all physical print devices in any logical printer defini-tion are in the same general area so users don’t have to run around the build-ing looking for printouts.

Job 1Job 2Job 3

Job 1Job 2Job 3Job 4

Job 1Job 2Job 3

Job 1Job 2Job 3

2008 Serverqueue for #2

2008 Serverqueue for #3

Print serverqueue for #4#4 Laser

printerPrint server

2008 Server

#1 Laser printer(server attached)

#2 Laser printer(server attached)

#3 Laser printer(network attached)

Queue for #1 (Print user)

Figure 9-1:Differentmethods

to connectprint

devices on a network.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 159

Individual departments are typically arranged so that they share a commonprint device or print device group. Each group is logically labeled in somesite-specific manner (hopefully accompanied by physical identifiers on eachprint device) that may or may not be descriptive of its assigned area or pur-pose. You will require advanced knowledge of what prints where whenevermultiple devices are available in a pool.

When setting up logical assignments to service more than one physical printdevice, all physical print devices must be identical. The only changes you canmake are to properties, such as bin number or paper size for each printdevice.

Conversely, you can assign several printer assignments to service one physi-cal print device. You want to do this if users print special items, such asenvelopes. Define one printer assignment to print to the envelope bin on thephysical print device and define another printer assignment to print letter-size paper on the same print device.

If you give logical assignments descriptive names, users will know where theprint device is and what type of function it performs. For example, using logi-cal names such as 2FLWestEnv and 2FLWest tells users that 2FLWestEnv is onthe second floor of the west wing and it prints envelopes, whereas the otheris a normal print device on the second floor of the west wing. Both printerassignments service the same physical print device, but they may print to different bins, or one may pause the print device between pages, and so on.Here, you don’t need to do anything other than define separate print devicesthat all print to the same port.

Installing on the Server’s SideBefore you set up clients to print on your network, first make sure to go tothe server and install all the print device definitions, drivers, and hardware,and then go to the client side. Doing so ensures that when you finally get tothe user’s workstation, you can submit a test print job right away because allthe components are in place. If you start at the user’s side first, you have toreturn later to check your work.

Meet the Printers folderYou can find nearly everything you want to do with print devices on theserver in the Control Panel’s Printers folder, which you can access by choos-ing Start➪Control Panel➪Printers. Previously, this applet was called Printers


14_180433 ch09.qxp 2/25/08 7:47 PM Page 160

and Faxes, but Microsoft has since reassigned faxing and scanning capabili-ties to a combined applet. We say nearly everything because the print devicedrivers are stored outside the print devices folder. (Most of the drivers arefound on the Windows Server 2008 DVD.)

When you first install Windows Server 2008, the Printers folder contains onlyan Add Printer icon, which is designed to help you install a physical printdevice (or logical printer definition). Each time you install a new print deviceby clicking the Add Printer icon (as described later in this chapter), Windows2008 assigns it a separate icon in the Printers folder, as shown in Figure 9-2.

When you click the Add Printer icon, the Add Printer Wizard appears, bringing with it a set of default policies that it uses to guide you through the process of adding each new print device to the Printers folder.

After you’ve installed the print devices you want, you can make changes to the print devices’ settings by visiting the Printers folder. Right-click theprint device you added and choose Properties from the pull-down list thatappears. A window with numerous tabs appears. You make all the changes to the particular print device’s settings in this Properties dialog box, so takesome time to familiarize yourself with the available settings.

Adding a networked print deviceIn an ideal world, your network and users would allow you to set up one typeof print device in one manner (such as all laser print devices of the samemake and model with network interface cards). In the real world, however,

Figure 9-2:The Printers

foldershowing an

installedprint device,a Microsoft

XPSDocument

Writer icon,and the AddPrinter icon.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 161

things don’t pan out like that. Therefore, the engineers at Microsoft designedWindows Server 2008 to provide you with four ways to attach print devicesto your network:

� Windows Server 2008

� Print server

� Networked (as shown in Figure 9-1)

� PC (a workstation, in Microsoft-speak)

In the following sections, we show you the four approaches to installing printdevices on your network. Three of the four installations are similar; they’rejust performed on different machines. For example, the steps for installingprint devices attached to networks are similar to the steps for installing printdevices attached to workstations. Both machines have print devices con-nected to their local ports, and they both share print devices on the network.

Attaching print devices to serversYou may find a need to attach a print device directly to your server. We don’trecommend that you use this method unless your organization can’t afford tospare a machine for you to use as a dedicated print server. Why? Because anytime you attach a device to a file server, you run the risk that it may gethosed and crash the server — and we’ve seen this happen often.

To attach a print device to a Windows Server 2008, you need a print device, a Windows Server 2008 computer, a cable, the Windows Server 2008 installa-tion DVD (if you didn’t copy it to your server’s hard disk), and any printdevice drivers you want automatically downloaded to the clients.

Connect the print device directly to one of the ports on the server (for exam-ple, LPT1) and install the print device on this machine in its Printers andFaxes folder by choosing Start➪Control Panel➪Printers. Then follow thesesteps:

1. Double-click the Add Printer icon, which invokes the Add PrinterSetup Wizard, and click Next.

2. Choose Add a Local Printer and then click Next. (USB devices areautomatically detected and installed by Windows.)

The printer detection window of the wizard appears, searching for andinstalling attached Plug and Play print devices. If the print device isn’tPlug and Play, you must follow the rest of the steps in this section.

3. From the Use an Existing Port drop-down list, select the port to whichyou attached this print device (such as LPT1) and click Next.

A window appears for choosing the manufacturer and model of the printdevice.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 162

4. In the Manufacturer area, highlight the print device manufacturer; In the Printers area, highlight the model of the print device and click Next.

If you don’t see your print device listed here, it means you have to pro-vide the Add Printer Wizard with the driver. Click the Have Disk buttonand point the wizard to the location and path where the driver resides.

5. In the Type a Printer Name window of the wizard, Setup suggests aname for this printer. Accept this name by clicking Next or type a new name for this printer in the Printer Name text box.

6. (Optional) Select the Set As the Default printer check box if you wantthis to be the default printer for users permitted to access the associ-ated print queue.

7. Click Next to move on to the Printer Sharing window.

8. Indicate whether you’d like to share the printer.

By default, Windows furnishes a share name in the Printer Sharingwindow of the wizard.

• Share: If you want to share the printer and you don’t want to usethe default name, you can type over it to change it. The sharename is the name that your users will see when they print to thisprinter, so make it meaningful. (For example, create a name such as2ndFLWestEnv to indicate that the printer is on the second floor ofthe west wing and it prints envelopes.)

• Do Not Share: If you don’t want to share the printer, choose the DoNot Share this printer option.

9. Click Next.

10. Choose whether you want to print a test page (always a great idea) byclicking the Print a Test Page option. Next, to install drivers for theother client operating systems that will access the printer, click theInstall Drivers button.

11. Click Finish.

Setup copies files from the Windows Server 2008 installation DVD to theWindows Server 2008 computer’s hard disk. If you elected to print a testpage, it also emerges from your newly defined printer at this point.

If you chose to share the printer in Step 8, Windows may ask you tosupply any missing operating system print drivers (see Step 10) so thatit can automatically download those drivers to its clients. (However in most cases, Windows Server 2008 won’t have to ask, because it comes equipped with a large library of client print drivers from which it can draw.)


14_180433 ch09.qxp 2/25/08 7:47 PM Page 163

12. If you chose not to print a test page and not to install additional dri-vers, Setup presents you with a summary page of the choices youelected during the setup process. Click Finish if your choices are cor-rect. Otherwise, use the Back and Next buttons to correct any invalidor incorrect info.

If you’re familiar with setting up printers on previous versions of Windows,you probably whipped through these steps because the print device setupsare similar. At this point, you’ve set up the following:

� One basic logical printer assignment that points to one physical printdevice on Windows Server 2008: We say basic because you haven’t yetcustomized any options, such as paper bins, dots per inch, and separa-tor pages, for this print device. You probably weren’t aware that as youdefined this physical print device, you also assigned it a logical printerassignment. Remember that there’s a one-to-one correlation between thetwo each time you install a physical device and define it — unless youadd more physical devices.

� A print queue for this print device: Windows Server 2008 does this foryou when you define the print device. To view the queue, double-clickthe print device icon. You won’t see anything in the queue just yet.

� Shared access to this print device by everyone on the network: Whenyou define a share name on the network for a print device, WindowsServer 2008, by default, assigns the Everyone group access to this printdevice. You have to change this default policy if you don’t want “every-one” to have access to this print device. If you have Active Directoryinstalled, the print device is published to the Directory.

You can have multiple logical printer assignments pointing to one physicalprint device. If you want to assign another logical printer assignment that ser-vices this physical print device, you repeat the previous steps but assign anew computer and share name. You can assign different properties to thisphysical print device for each logical printer definition.

Attaching print devices to print serversIn the preceding section, we show you how to hook up a print device to aWindows Server 2008 computer so that your Windows Server 2008 functionsas a print server on your network, in addition to its other duties. To helpmanage the load on the Windows Server 2008, you can offload this printingtask to another computer on your network and have it function as your print server.

The print server is just another computer on your network, only with anattached print device that you set up to manage print spooling, print queues,and print jobs. We like this method because it frees up the Windows Server2008 to perform other tasks. When your clients print to the print server, theybypass the Windows Server 2008.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 164

You can install any Microsoft operating system that you like on the computerthat will be your print server. We recommend at least Windows 9x, but weprefer a Windows NT, 2000, or XP workstation because you can download theprint drivers to the client workstations from the print server automaticallywith no intervention on your part. This means that you don’t have to installdrivers manually on each of the client workstations.

After you’ve installed an operating system on your soon-to-be print server,follow Steps 1 through 12 from the “Attaching print devices to servers” sec-tion if you’re using a Windows NT, 2000, or XP Workstation as the operatingsystem. If you’re using Windows 9x, repeat the same steps but exclude thedownloadable print device drivers from Step 10. Instead, you must go to eachclient and install the corresponding print device drivers.

Attaching networked print devices to print serversSome print devices, such as HP laser print devices, are neat because afteryou plug a network adapter into them, they’re nearly ready to be placed any-where on your network where there’s an electrical outlet and an availablenetwork connection. Nearly, but not quite! You must still make all the physi-cal connections and assign an IP address to the printer. After you do that,perform the following steps to add the networked print device to the printserver:

1. Choose Start➪Control Panel➪Printers.

The Printers applet window appears.

2. Double-click the Add Printer icon to invoke the Add Printer Wizardand click Next.

3. In the Add Printer window, click Add a Network, Wireless, orBluetooth Printer and then click Next.

Windows begins searching for available network-accessible printdevices and displays the Searching for Available Printers window.

4. Select the printer (print device) you want from the list of discoveredprinters (print devices) that appears in list form and then skip to Step6. If the desired print device isn’t found, you can find it by followingthese steps:

a. Click The Printer I Want Isn’t Listed.

The Find a Printer by Name or TCP/IP Address window appears.

b. Under Find a Printer by Name or TCP/IP Address, choose Browse fora Printer, Select a Shared Printer by Name (followed by the actualname), or Add a Printer Using a TCP/IP Address or Hostname.

c. Click Next and follow the dialog boxes to find and select the printer.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 165

5. Depending on what option you selected in Step 4, do the following:

• If you clicked Browse for a Printer, a browse list of all the localservers and workstations appears. Double-click those entries tofind attached print devices, after which you can add them. If yousupply a valid UNC name for a networked print device (for exam-ple, \\library-srvr\HPLaserJ), you can add it by using thatname when you click Next.

• If you clicked Add a Printer Using a TCP/IP Address orHostname, the Type a Printer Hostname or IP Address windowappears. Here you can explicitly identify (TCP/IP Device or Web Services Device) the device type or stick with the defaultAutodetect option. After that you must supply a valid hostname or IP address and a UDP port number to complete the print deviceconnection.

6. After completing these steps, click Next to see a Connect to Printerwindow, where you can change the printer name or leave it as is.

7. Finally, you can elect to print a test page (a good way to make sureyour printer connection is working), or you can simply click the Finish button.

Congrats! You’re done!

When installing a print device on a Windows Server 2008 with ActiveDirectory installed, the Add Printer Wizard shares the print device and pub-lishes it in the Directory — unless you change the policy rules. For moreinformation on Active Directory, please read Chapter 7.

Attaching print devices to a workstation PCSome users may have print devices on their desks that you may want to makeavailable to other users on the network. Attaching a print device to a PC is theleast desirable method because it involves users going to another user’s PC topick up print jobs. This can cause a disruption in workflow for the user who’sunfortunate enough to have a print device on his or her desk. However, insmaller organizations where budgets are tight, this method is sometimes used.

To set this up, you must go to the user’s desktop and share that print deviceon the network. If you’d like, you can restrict access to that share so that theentire organization isn’t allowed to print there. Where do you find all this? Inthe Printers and Faxes folder on the user’s desktop, of course! Right-click theAdd Printer icon if no print device is installed, choose the print device to be alocal print device connected to a local printer port (such as LPT1 or a USBport), and assign it a name. If a print device is already defined, right-click its


14_180433 ch09.qxp 2/25/08 7:47 PM Page 166

icon and select Properties to give this print device a share name. After youshare the print device on the network, other users can see it.

This method causes the user’s workstation to manage the printing process.You can define this workstation-attached print device so that Windows 2008Server will manage the print process instead. Here’s how:

1. Go to the user’s computer desktop and define a share for this printdevice, but limit access to the username of “JoePrinter.” This is a fabricated username you set up purely to manage this printer.

See the following section, “Sharing Printer Access,” to find out how todefine a share.

2. Mosey back over to the Windows Server 2008 computer.

3. Add a user named “JoePrinter” in Active Directory Users andComputers. (Choose Start➪Administrative Tools➪Active DirectoryUsers and Computers.)

4. Choose Start➪Control Panel➪Printers to open the Printers applet.

5. Follow the same steps in the “Attaching print devices to servers” section earlier in this chapter, except for the following changes:

• Click the Add Printer icon and choose the networked print deviceinstead of the locally attached print device.

• Let Windows search the network or choose The Printer I Want Isn’tListed to manually specify a share name. Either type the sharename or use the Browse option to select and choose the sharename you gave the print device on the client’s desktop.

• Give this print device a new share name that the rest of the userson the network will see.

Again, we don’t recommend that you use this method unless your organiza-tion is tight on money. It can cause aggravation for the user who has to sharethe print device with other people on the network and can disrupt that user’swork environment.

Sharing Printer AccessAfter you’ve installed a printer (software and a print device, that is) on yournetwork (as we explain in the previous section), the next step is to create ashare for it on the network. (See Chapter 12 for more details on Windows2008 network shares.)


14_180433 ch09.qxp 2/25/08 7:47 PM Page 167

Until you share a print device, your users can’t see it on the network. Toshare a print device, do the following:

1. Open the Printers folder. (Choose Start➪Printers and Faxes).

2. Right-click the print device you want to share and choose the Sharing option.

3. On the Sharing tab, choose the Share this Printer option and type adescriptive share name (for example, 2ndFlWest).

4. Unless you want to process print jobs locally on this computer, leavethe Render Print Jobs on Client Computers option selected.

5. Click OK and you’re finished!

When you share a print device, it’s available to everyone on the network bydefault. You must specifically restrict groups or users from accessing theprint device if that’s what you want.

If you have MS-DOS-based clients on your network, make sure that your sharenames for print devices are only eight characters long.

Bringing Printers and Clients TogetherThe final step in setting up networked printing involves setting up the printdevices on the client side. Fortunately, not much is required in this process.Everything you need is on the Windows Server 2008, the print server, or inthe user’s Printers and Faxes folder on his or her desktop, depending onwhich client operating system is used.

If the client operating system is Windows XP, 2000, or NT, you need to onlyadd the print device in the Printers and Faxes folder (Add Printer) andchoose Networked Print Device. The reason is that the print device isattached to another computer somewhere on the network; it isn’t local tothis workstation. For the port, use the Browse option and find the sharename of the print device to which you want to print. That’s it!

If your clients have Windows 9x and are printing to a Windows Server 2008(and you’ve installed the various client operating system drivers at theserver), you simply add the print device in the Printers and Faxes folder (AddPrinter) and select it as a networked print device. When you select the portas the share name of the networked print device, Windows Server 2008 auto-matically downloads the drivers.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 168

Managing Windows 2008–BasedPrinters

You can view and manage your print servers, queues, and print devices (all ofwhich are called printers in Microsoft-speak) from anywhere on the network,including your Windows Server 2008. From one location, you can view what’sgoing on with all the print devices on your network. The only thing you can’tdo remotely is install hardware on the print device itself, such as memory orcables. But you knew that already!

The improved Print Management Console (PMC) that first appeared withWindows Server 2003 R2 is now enhanced to meet larger-scale networkdemands. PMC supports print server migration from Windows Server2000/2003 to Windows Server 2008 installations and features an improvedNetwork Printer Installation Wizard. The installation wizard reduces adminis-trative overhead by automatically locating and — where applicable —deploying a compatible driver for hands-free automated setup.

The following list includes some issues to keep in mind as you manage printdevices:

� Make sure you don’t run out of disk space on the server. If you set upspooling on your network, you must keep a close eye on the hard diskspace that print servers consume. The spooling process involves send-ing files from the print user to the print server. Remember that the printserver can also be your Windows Server 2008. In either case, if your net-work handles high-volume print activity, it’s possible to fill up a harddisk quickly with the spooling process.

After files are spooled to the print server, they remain on the hard diskin the queue until an available print device is ready. If there’s a problemwith the print device, jobs can back up quickly. Remember that queuestake up space on the hard disk, so if the queues back up, more and morespace is needed. Be careful that you don’t run low on disk space!

� Make sure your print devices have enough memory. When your usersprint graphics on the network, memory becomes an issue on the printdevices. Large graphics files require more memory to print. You can find out how much memory is in a print device by performing a self teston the print device. Some organizations don’t have a large budget foradding extra memory to all networked print devices, so they select oneor more in strategic locations and then define logical print device setupsjust for graphics output.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 169

� Select the appropriate properties for print devices. You can access theprint device’s Properties menu by right-clicking i icon in the Printersfolder. (Figure 9-3 shows the various settings you can alter for any printdevice on your network.) We go through each of the tabs here to helpyou understand which print device properties you can change:

• General tab: Here’s where you add information about the printdevice, such as comments, location, and whether to use a bannerpage. When defining a banner page, we recommend that you addsome general comments about the print device and its location. Inmedium- to large-sized operations, adding a separator page so thatprint jobs may more easily be distinguished from each other is agood idea. The current print driver information is also found here.Change this only if you’re going to install a new driver.

• Sharing tab: If you want users on the network to see this print device,you define the share name on this tab. (Remember to make it mean-ingful.) You can also tell Windows Server 2008 to allow this device toshow up in the Directory. This is also where you tell Windows Server2008 which client operating systems you have on your network andto which systems you want print drivers automatically downloaded.

• Ports tab: This is where you tell the system to which port yourprint device is attached. If it’s a network-attached print device, youdefine it here using the Media Access Control (MAC) address; if it’sa Transmission Control Protocol/Internet Protocol (TCP/IP) printdevice, you define it here using the IP address.

• Advanced tab: On this tab, you can schedule the print device’savailability, priority, and spooling options. For example, you mayopt to have print jobs run at night for a print device.

• Security tab: On the Security tab, you set up auditing of your printdevices, which enables you to gather the information you’ll need ifsomething goes wrong with a device. You may want to use theSecurity tab for charge-back purposes on a departmental basis(where you audit the usage and charge users or departments forthat use) or limit this print device’s availability. You can also definewho is allowed to manage this print device.

• Device Settings tab: On this tab, you define specific properties ofthe print device, such as paper size, dots per inch, and paper bin.

• Color Management tab: Adjust monitor or print device color-specificsettings on this tab.

• Cartridge Maintenance tab: On this tab, you can view left and rightink cartridge levels and use clickable options to install/change car-tridges, clean print nozzles, align cartridges, and order supplies.This last option actually opens the default Web browser and pointsit to your print device manufacturer’s Web site. (This tab may notshow up in every Properties window you examine; its presence orabsence depends on your print device.)


14_180433 ch09.qxp 2/25/08 7:47 PM Page 170

Preventing Printer ProblemsPrinting problems on a network can wreak havoc. Here are a few pointers tohelp you head off this type of trouble. If you do experience problems, seeChapter 20 for some troubleshooting help.

� Purchase Windows Server Catalog compatible devices. Purchase only network print devices listed in the Hardware Catalog for WindowsServer 2008. Otherwise, you may spend hours trying to get a printdevice to work on the network — only to find that the device isn’t compatible. And always remember to check Microsoft’s site for thelatest version of the Windows Server Catalog; you can find it at www.windowsservercatalog.com.

� Get the latest print device drivers. Be sure to obtain the latest printdevice driver associated with each print device on your network.Windows Server 2008 does its best to install print device drivers byitself where applicable, which may come from dated archives, onlineupdates, or install media. Newer drivers often correct bugs found inolder drivers. If you use an older driver, you may sometimes end uptroubleshooting a known bug that has already been corrected in a newer driver.

Figure 9-3:Print device

Propertiestabs in the

Printersfolder.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 171

� Purchase a name brand. We hope that your organization can afford to purchase name-brand print devices, such as Hewlett-Packard orLexmark, for your network. We find that the biggest printing problemson networks stem from cheaper models. Even if you’re able to hookthese cheaper devices up, it may take so long to get all the pieces working that investing in brand-name print devices would be more cost effective.

� Purchase from one manufacturer. We like to stick with one type (brandname) of print device where possible. Notice we said brand and notmodel. We realize that some organizations need to print in both blackand white and color. If you can purchase all your print devices from onemanufacturer (for example, Hewlett-Packard), your life and your users’lives will be easier. If you have all Hewlett-Packard laser print devices onyour network, don’t buy another manufacturer’s laser print device justbecause it’s on sale that day at your local computer superstore. You cansave time by working with one vendor and its equipment and driversinstead of having to hunt all over the Internet for various manufacturers’Web sites. Allow your users to become familiar with the one brand, andthey won’t have to learn how to use new equipment all the time.

� Buy enough memory. The influx of graphics software has uppedmemory usage in print devices to produce image-laden output. Don’twait until print jobs start fouling up before adding memory. If yourbudget is too low to do this up front, find a local vendor that stocksmemory for your printers and keep their telephone number handy.

Faxing the Windows Server 2008 WayWindows Server 2008, like Windows Server 2003 and Windows XP, includesnative fax and scan support. This means you can now send and receive faxesusing your computer without third-party software. The combined capabilitiesof Windows Server 2008 faxing and scanning are now controlled through (youmight’ve guessed) the Windows Fax and Scan applet.

Windows Fax and Scan enables you to perform and manage all faxing or scan-ning tasks and documents from a central location. The new Windows Fax andScan interface (shown in Figure 9-4) closely resembles Microsoft’s Outlookinterface — not coincidentally. Historically, Outlook stores calendar entries,contact entries, and e-mail messages; presently, the next-generationExchange Server and Outlook client software utilize more expansive rolesthat encompass and accommodate many other types of information.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 172

For example, Unified Messaging in Exchange Server stores mailboxes, publicfolders, voice messages, and faxed documents in a central repository forclients. Windows Fax and Scan provides a limited scope of capability thatinterfaces with Exchange Server Unified Messaging.

Enabling faxingFaxing isn’t enabled by default. First, you must have a fax modem alreadyinstalled and properly configured. (That means the driver is installed andthings are working properly.) Next, follow these steps to enable faxing:

1. Open the Windows Fax and Scan applet from the Start menu orControl Panel, and choose File➪New Fax.

The Fax Setup Wizard launches.

2. When the wizard asks whether you want to connect to a fax modem or fax server on the network, click OK.

The wizard installs the necessary components for faxing. After a fewmoments, you’re returned to the Windows Fax and Scan applet.

3. Follow the setup wizard’s instructions to define the fax device nameand location and decide how to receive faxes or incoming calls.

Sending faxesFaxing is like printing, but instead of sending the document’s print job to aphysical print device where the results are on paper, the print job is digitizedand sent over the phone line to a receiving fax device (which can be a tradi-tional fax machine or a fax-enabled computer). Other than needing to provide

Figure 9-4:Windows

Server 2008Fax and

Scanapplication.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 173

a phone number and the occasional cover sheet, faxing a document is justlike printing a document. To send a fax, just select the New Fax option fromthe File menu of Windows Fax and Scan, begin formatting or typing your mes-sage, and then click Send.

The first time you attempt to send a fax, the Fax Configuration Wizard islaunched. This wizard is used to define information about your fax system,such as the phone number, area code, and sender information.

Windows Fax and Scan is used to track and manage incoming and outgoingfaxes, in much the same way as you might manage e-mail in Outlook. If youwant to change your sender information, choose Tools➪Sender Informationfrom the Windows Fax and Scan console. To receive faxes, you have to enableincoming faxes and set the Answer After Rings control.

Keep in mind that you can have only one answering service per modemdevice. So, if you need a telecommuter to call in to connect to your system,don’t set up that modem to wait for faxes. The device that is waiting forincoming faxes can still be used to send faxes or even for normal dial-out connections. If you find that you need more help with the fax capabilities of Windows 2008, check out the help file and the Windows Server 2008Resource Kit.


14_180433 ch09.qxp 2/25/08 7:47 PM Page 174

Chapter 10

IP Addressing: Zero to Insane in Two Seconds Flat

In This Chapter� Working with TCP/IP and NetBIOS names

� Understanding IP addressing, nets, and subnets

� Obtaining Internet-ready IP addresses

� Using private IP addresses

� Using proxy servers and address translation

� Working with DHCP

� Dealing with problems

The Transmission Control Protocol/Internet Protocol (TCP/IP) drives theInternet and makes it accessible around the world. However, TCP/IP is a

lot more than just a collection of protocols: Many elements in TCP/IP marryprotocols to related services to provide complete capabilities. Importantexamples include dynamic address allocation and management, known as theDynamic Host Configuration Protocol (DHCP), plus domain name to addressresolution services, known as the Domain Name Service (DNS).

In this chapter, you find out about TCP/IP names, addresses, and related stan-dard services, as well as other related services hosted in Windows Server 2008.

Resolving a Name: TCP/IP and NetBIOSWhenever you issue a command in Windows Server 2008, you’re expected touse the proper syntax. Otherwise, your efforts may not produce the desiredresults. For example, when you issue a net use command from a commandprompt, you must enter the server name and a share name, as well as thedrive to which you want to map. Therefore, a simple command such as

net use G: \\ORWELL\APPS

15_180433 ch10.qxp 2/25/08 7:47 PM Page 175

associates the drive letter G with a share named APPS on the ORWELL server.If you use the TCP/IP protocol to convey the data involved, the protocoldoesn’t know how to interpret the name ORWELL as a server. Instead, itunderstands Internet Protocol (IP) addresses, such as 172.16.1.7.

If you use TCP/IP on your network, you need some way to convert IPaddresses into names and vice versa. Just as the United Nations requirestranslators so that everyone can communicate, so too does Windows Server2008, which is why understanding naming conventions and name-to-addressresolution are such an important part of working with TCP/IP on WindowsServer 2008.

NetBIOS namesIf you’re like most folks, you freeze like a deer in the headlights when youhear the word NetBIOS. Don’t worry. Only a small number of people reallyunderstand NetBIOS in detail, and figuring out what you need to know is easy.

A NetBIOS name is often called a computer name. When you install WindowsServer 2008 on a network, each computer that runs Windows requires aunique computer name. This allows all NetBIOS-based utilities to identifyeach machine by name. When you enter a command that includes a com-puter name, Windows 2008 knows which computer you’re talking about.

If you try to give two devices the same name, you run into trouble — liketrying to use the same Social Security number for two people. Each time acomputer joins the network, it registers its name with a browser service thatkeeps track of such things. When the second computer with the same nametries to register, it’s rejected because that name is already taken. In fact, thatmachine will be unable to join the network until its name is changed to some-thing unique.

When creating NetBIOS names, you need to work within some limitations,which are as follows:

� NetBIOS names must be between 1 and 15 characters long.

� NetBIOS names may not contain any of the characters shown in the fol-lowing list:

" double quotation mark

/ right slash

\ left slash

[ left square bracket

] right square bracket


15_180433 ch10.qxp 2/25/08 7:47 PM Page 176

: colon

; semicolon

| vertical slash

= equal sign

+ plus sign

* asterisk

? question mark

< left angle bracket

> right angle bracket

In addition, dollar signs aren’t recommended because they have a spe-cial meaning. (A NetBIOS name that ends in $ doesn’t appear in a browselist.)

� Don’t use lengthy names or put spaces in names. Windows Server 2008doesn’t care if you use longer names or include embedded spaces, butother networking clients or systems may not be able to handle them.

� Choose names that make sense to users and are short and to the point.Don’t name machines after users or locations, especially if users comeand go regularly or if machines move around a lot. When it comes toservers, name them to indicate their organizational role or affiliation (forexample, Sales, Accounting, or Engineering).

What’s in a NetBIOS name, you ask? A NetBIOS name should provide a short,clear indication of what’s being named so users can recognize what they see.At best, this type of naming convention makes sense without further explana-tion. At the least, you can do what we do and put a sticker with the machine’sname on each monitor or computer case for identification. You can view a listof your network’s NetBIOS names by expanding the My Network Places sec-tion of Windows Explorer. See Figure 10-1 for a sample list of NetBIOS namestaken from our network (such as Hush and Pentium_m).

Figure 10-1:NetBIOS

computernames on

our network.

177Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat

15_180433 ch10.qxp 2/25/08 7:47 PM Page 177

TCP/IP names and addressesTCP/IP uses a different naming scheme than NetBIOS does. TCP/IP uses 32-bitnumbers to construct IP addresses (for example, 172.16.1.11). Each host ornode on a TCP/IP network must have a unique IP address.

IP addresses aren’t meaningful to most humans and are difficult to remember.Therefore, it’s helpful to have some way to convert IP addresses to meaning-ful names. On a Windows Server 2008 network, you use computer names(also known as NetBIOS names). The Internet community uses a differentnaming convention called domain names. Translation methods, such asWindows Internet Name Service (WINS) and Domain Name Service (DNS),maintain databases to convert IP addresses to computer names (WINS) ordomain names (DNS).

If you’ve ever used a Web browser on the Internet, you know that you cantype a Uniform Resource Locator (URL), such as www.wiley.com, or an IPaddress, such as 208.215.179.146, to obtain access to a Web page. Youcan do so because the Internet uses DNS to resolve IP addresses to domainnames and vice versa. If you type an IP address, the Web browser jumpsstraight to that address; if you type a domain name, your request goesthrough a DNS server that resolves the name to an IP address, and then thebrowser jumps to that address.

In the IP world, the naming scheme you can use is limited if you plan to con-nect your network directly to the Internet. VeriSign (www.verisign.com) isone of many domain name registrars in charge of approving and maintaininga database of legal Internet top-level domain names. You can request anydomain name you want, but if someone else is using it or has a legitimateclaim to a trade or brand name, you won’t be able to use it. For example, youprobably won’t be able to use mcdonalds.com or cocacola.com as domainnames. In fact, if someone else has already registered xyzcorp.com, youwouldn’t be able to use that name, even if your company is named XYZCorporation.

The format for a typical IP name is host.domainname.suffix. The domainname is something you can’t guarantee, but typically represents your organi-zation. The suffix, called a top-level domain, sometimes identifies the countryof origin (for example, .ca is Canada and .de is Germany) or the type oforganization (.gov is government, .edu is education, .com is a commercialbusiness, .org is a nonprofit organization, and so forth).

Some domain names are more complex; they can take a form such ashost.subdomain.domainname.suffix, as in jello.eng.sun.com,where the host name is jello, the subdomain is eng (for engineering), and the domain name is sun (the domain name for Sun Microsystems, Inc.),which is a commercial (.com) entity. The only parts of the name under


15_180433 ch10.qxp 2/25/08 7:47 PM Page 178

control of the various Internet domain name registrars (such as VeriSign and other companies and organizations identified at www.norid.no/domenenavnbaser/domreg.en.html) are the domain name and the suffix — every domain name must be unique in its entirety to be properly recognized.

Names that include the host part, the domain name, and the suffix (plus any other subdomain information that may apply) are called Fully QualifiedDomain Names (FQDNs). To be valid, any FQDN must have a correspondingentry in some DNS server’s database that allows it to be translated into aunique numeric IP address. For example, the Web server for this book’s publisher is named www.wiley.com, which resolves into an IP address of208.215.179.146.

As long as you’re completely isolated from the Internet and intend to staythat way, you can assign any names and IP addresses you like on your net-work. If you ever connect your network to the Internet, however, you’ll haveto go back and change everything! If your network will be — or simply mightever be — connected to the Internet, you have one of two options for assign-ing addresses:

� You can obtain and install valid public IP addresses and domainnames.

Your Internet Service Provider (ISP) can provide these for you. Whenyou obtain a range of IP addresses for your network — remember, eachcomputer needs its own unique address, and some computers ordevices need multiple addresses (one for each interface) —, make sureyou get enough to leave some room for growth.

� You can (and should) obtain a valid domain name from VeriSign oranother domain name registrar, but you can use any of a range ofreserved IP addresses, called private IP addresses, to number yournetworks.

These addresses may not be used directly on the Internet; they’ve beenset aside for private use. When used in concert with a type of softwarecalled Network Address Translation (or NAT for short), this approachrequires you to obtain only a small number of public IP addresses butstill allows Internet access for every computer on your network. Thistopic is discussed in more detail later in this chapter in the section“Address translation: The new magic.”

To find out more about the process of obtaining a domain name, visitVeriSign’s Web site at www.verisign.com. The form for researching domainnames (determining whether a FQDN is already in use) and registeringdomain names (applying for a new FQDN) is on the main page. You’ll finddetails on name registration services as well as on directory and databaseservices that support the Internet’s distributed collection of DNS servers.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 179

Calling Everything a NodeA unique numeric identification tag, called an IP address, is assigned to eachinterface on a TCP/IP network. Every IP address in a TCP/IP network must beunique. Each device on a TCP/IP network is known as a host. Each host has atleast one network interface with an assigned IP address. However, a host canhave multiple network interface cards (NICs), and even multiple IP addresses,assigned to each NIC.

To network ID or host ID? That is the questionAn IP address consists of two components:

� Network ID: Identifies the network segment to which the host belongs.

� Host ID: Identifies an individual host on some specific network segment.A host can communicate directly only with other hosts on the same net-work segment.

A network segment is a logical division of a network into unique numeric net-work IDs called subnets. A host must use a router to communicate with hostson other subnets.

A router moves packets from one subnet to another. In addition, a routerreads the network ID for a packet’s destination address and determineswhether that packet should remain on the current subnet or be routed to adifferent subnet. When a router delivers a packet to the correct subnet, therouter then uses the host ID portion of the destination address to deliver thepacket to its final destination.

A typical IP address looks like

207.46.249.222

(This example address matches the domain name www.microsoft.com.)This numeric IP address format is known as dotted-decimal notation. However,computers see IP addresses as binary numbers. This same IP address inbinary form is

11001111 00101110 11111001 11011110

and is written in collections of eight bits called octets. Each octet is convertedto a decimal number and then separated by periods to form the dotted-decimalnotation format shown at the beginning of this paragraph.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 180

The dotted-decimal version of IP addresses is more human-friendly than thebinary version. As you may already know, domain names and NetBIOS namesare even more friendly because they use symbolic names that make sense tohumans.

An IP address requires 32 binary digits and defines a 32-bit address spacethat supports nearly 4.3 billion unique addresses. Although this seems like alot of addresses, the number of available IP addresses is quickly dwindling.Consequently, several plans exist to expand or change the IP addressingscheme to make many more addresses available. For more information onsuch plans, search for IPng Transition in your favorite search engine.

IP designers carved the entire galaxy of IP addresses into classes to meet dif-ferent addressing needs. Today, there are five IP address classes labeled bythe letters A through E. Classes A, B, and C are assigned to organizations toallow their networks to connect to the Internet, and Classes D and E arereserved for special uses.

The first three classes of addresses differ by how their network IDs are defined:

� Class A addresses use the first octet for the network ID.

� Class B addresses use the first two octets.

� Class C addresses use the first three octets.

Class A addresses support a relatively small number of networks, each with ahuge number of possible hosts. Class C addresses support a large number ofnetworks, each with a relatively small number of hosts, as shown in Table10-1. (Class B falls in the middle.) Therefore, branches of the military, govern-ment agencies, and large corporations are likely to need Class A addresses;medium-sized organizations and companies need Class B addresses; andsmall companies and organizations need Class C addresses.

Table 10-1 Address Classes and Corresponding Network and Host IDs

Class High-Order Bits First Octet Range # Networks # Hosts

Class A 0xxxxxxx 1–126.x.y.z 126 16,777,214

Class B 10xxxxxx 128–191.x.y.z 16,384 65,534

Class C 110xxxxx 192–223.x.y.z 2,097,152 254

When it comes to recognizing address Classes A through C, the network IDfor Class A addresses always starts its first octet with a 0. Each Class B net-work ID always starts with 10, and Class C network IDs always start with 110.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 181

Consequently, you can determine address classes by examining an address,either in binary or decimal form. (See Tables 10-1 and 10-2.)

Table 10-2 Division of IP Address Component Octets According to Class

Class IP Address Network ID Host ID

A 10.1.1.10 10 1.1.10

B 172.16.1.10 172.16 1.10

C 192.168.1.10 192.168.1 10

Network ID 127 is missing from Table 10-1 because that ID is a loopbackaddress. Loopback addresses are used when testing IP transmission — theytransmit to themselves.

Subnetting: Quiet time for IP addressesSubnets represent divisions of a single TCP/IP network address into logicalsubsets. The motivation for subnetting is twofold:

� It reduces overall traffic on any network segment by collecting systemsthat communicate often into groups.

� It makes it easier for networks to grow and expand and adds an extralayer of security control. Subnets work by “stealing” bits from the hostpart of an IP address and using those bits to divide a single IP networkaddress into two or more subnetworks, usually called subnets — hence,the term in the preceding heading.

Network administrators typically use subnet masks to divide IP addressblocks into smaller subnetworks. A subnet mask is a special bit pattern thattakes over part of the host ID portion of an IP address and permits a largernetwork to be subdivided into two or more subnetworks, each with its ownunique network address. The base subnet masks for Classes A, B, and C networks are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. You cancreate additional subset masks by adding extra bits set to 1 in the spaceoccupied by the 0 that appears next to the rightmost 255 in any such number.This transformation is illustrated in Table 10-3, which shows some typicalvalues for usable subnet masks.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 182

Table 10-3 Subnet Masks and ResultsBinary Mask Decimal Equivalent Number of New Number of Hosts

Subnets

00000000 A: 255.0.0.0 A: 16,777,214 1

B: 255.255.0.0 B: 65,534

C: 255.255.255.0 C: 254

10000000 A: 255.128.0.0 A: Not valid Not valid

B: 255.255.128.0 B: Not valid

C: 255.255.255.128 C: Not valid

11000000 A: 255.192.0.0 A: 4,194,302 2

B: 255.255.192.0 B: 16,382

C: 255.255.255.192 C: 62

11100000 A: 255.224.0.0 A: 2,097,150 6

B: 255.255.224.0 B: 8,190

C: 255.255.255.224 C: 30

11110000 A: 255.240.0.0 A: 1,048,574 14

B: 255.255.240.0 B: 4,094

C: 255.255.255.240 C: 14

11111000 A: 255.248.0.0 A: 524,286 30

B: 255.255.248.0 B: 2,046

C: 255.255.255.248 C: 6

11111100 A: 255.252.0.0 A: 262,142 62

B: 255.255.252.0 B: 1,022

C: 255.255.255.252 C: 2

11111110 A: 255.254.0.0 A: 131,070 126

B: 255.255.254.0 B: 510

C: 255.255.255.254 C: Not valid


15_180433 ch10.qxp 2/25/08 7:47 PM Page 183

Because routers are required to communicate across IP subnets, a router’s IPaddress on each subnet must be known to every client on that subnet. Thisaddress is called the default gateway because it’s where all out-of-subnettransmissions are directed by default. (It’s the gateway to the world outsideeach local subnet.) If no default gateway is defined, clients can’t communi-cate outside their subnets.

Hanging your shingle: Obtaining IP addressesDeploying your own network or using a stand alone system with NetworkAddress Translation (NAT) to connect to the Internet requires that you obtainone or more valid IP addresses. For some uses, you may simply contract withan ISP to use a dial-up connection. Each time you connect, you’re assigned anIP address automatically from a pool of available addresses. After you discon-nect from the ISP, that IP address is returned to the pool for reuse. This worksequally well for stand alone machines and for the servers that might dial intoan ISP to provide an on-demand connection for users who have private IPaddresses but can attach to the Internet using NAT software.

One way to attach an entire network to the Internet is to lease a block, orsubnet, of IP addresses from an ISP. However, leasing IP addresses can be


What about IPv6?Those who know a little bit about TCP/IP alreadyare also likely to know it comes in two flavors.The current, predominant flavor (the one wedescribe at length in this very chapter) is calledIPv4. It features 32-bit addresses broken intofour 8-bit octets. There’s a newer version of IParound, however. It’s known as IPv6 and fea-tures 128-bit addresses (16 8-bit octets butseldom represented as such; these numbersare so big you see them primarily in hexadeci-mal or base 16 form if not plain old decimalform). In addition to a much bigger addressspace, IPv6features enhancedsecurity, multiple

automatic addressing schemes, improved rout-ing, and much more. But it’s seldom used onsmall networks and despite a U.S. governmentmandate to switch over to IPv6 addressing inJune 2008, that event looks increasingly unlikelyas the date looms ever closer. Because it’s veryrarely used on small networks, we don’t coverIPv6 in this book. Those readers who want tolearn more, and work with IPv6 on WindowsServer, should check out the TechNet IPv6clearinghouse at technet.microsoft.com/en-us/network/bb530961.aspx.

15_180433 ch10.qxp 2/25/08 7:47 PM Page 184

expensive and can limit your growth. Also, many ISPs can no longer leaselarge blocks of IP addresses, so you may have to limit Internet access to spe-cific machines or subnets.

For more information about taking this approach, you must contact your ISPto find out what it offers by way of available addresses and contiguous sub-nets. For some uses, public IP addresses are required because security needsdictate a true end-to-end connection between clients and servers across theInternet. In plain English, true end-to-end connection means that the IPaddress that a client advertises to the Internet is the same one it uses in real-ity. In the next section, you discover an alternate approach where an IPaddress advertised to the Internet is different from the private IP addressthat a client uses on its home subnet.

For some applications, particularly where secure IP-based protocols such asIP Secure (IPSec) or particular secure sockets layer (SSL) implementationsare involved, network address translation techniques may not work! Makesure you understand your application requirements in detail before youdecide whether to lease public IP addresses or use private IP addresses withnetwork address translation.

Address translation: The new magicIf you don’t want to pay to lease a range of IP addresses and your applicationrequirements allow you to use private IP addresses, you can employ IPaddresses reserved for private use in RFC 1918 on your networks. When usedwith network address translation software to connect to an ISP, a singlepublic IP address (or one for each Internet connection) is all you need to ser-vice an entire network.


Routers move packets among subnets and networksOnly routers can transfer packets from onesubnet to another, or from one network ID toanother, in the TCP/IP world. Routers are spe-cialized, high-end, high-speed devices fromcompanies such as Cisco Systems or ExtremeNetworks. However, any computer with two ormore NICs installed (where each NIC resides ona different subnet) can act as a router, provided

that the computer can forward packets fromone NIC to another (and thus, from one subnetto another). Right out of the box, in fact,Windows Server 2008 includes software andbuilt-in capabilities to work as a router.Computer nerds like to call such machinesmulti-homed computers because the machinesare “at home” on two or more subnets.

15_180433 ch10.qxp 2/25/08 7:47 PM Page 185

RFC 1918 (which you can find at www.faqs.org/rfcs/rfc1918.html)defines special IP addresses for use on private intranets. These addresses,which appear in Table 10-4, cannot be routed on the Internet. This approachprovides improved security for your network as a fringe benefit because itmeans that any impostor who wants to break into your network can’t easilymasquerade as a local workstation. (Doing so would require routing a privateIP address packet across the Internet.) Because all of these addresses are upfor grabs, you can use the address class that makes sense for your organiza-tion. (And for Class B and Class C addresses, you can use as many as youneed within the legal range of such addresses.)

Table 10-4 Private IP Address Ranges from RFC 1918Class Address Range # Networks

A 10.0.0.0–10.255.255.255 1

B 172.16.0.0–172.31.255.255 16

C 192.168.0.0–192.168.255.255 254

Using address translation software to offer Internet access reduces yourcosts and allows nearly unlimited growth. If you think private IP addressescombined with NAT software make sense for your situation, consult withyour ISP for specific details and recommendations on how to use this tech-nology on your network.

You’ve probably seen the terms firewall and proxy thrown about when read-ing about Internet access. Firewalls and proxy servers are network tools thatare little more than special-purpose routers. A firewall may be used to filtertraffic — both inbound and outbound.

Firewall filters may be based on a source or destination address, on a specificprotocol, or port address, or even on patterns that appear in the contents ofa data packet. A proxy server is an enhanced firewall, and its primary purposeis to manage communications between an in-house network and external net-works such as the Internet. Proxies hide the identity of internal clients andcan keep local copies of resources that are accessed frequently. (This iscalled caching, and it improves response time for users.)

You can check out several great online resources for firewalls, but onlineinformation on proxies is limited to product documentation. In addition toconsulting the Windows Server 2008 Resource Kit and TechNet (http://technet.microsoft.com/en-us/default.aspx), here are several onlineresources you may want to check to discover more about these technologies:


15_180433 ch10.qxp 2/25/08 7:47 PM Page 186

� NIST Guidelines on Firewalls and Firewall Policy: http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

� Microsoft’s Internet Security and Acceleration Server (ISA) 2006: www.microsoft.com/isaserver

� Zone Lab’s ZoneAlarm: www.zonealarm.com

� Cisco’s Self-Defending Networks: www.cisco.com/en/US/netsol/ns643/networking_solutions_packages_list.html

� WinGate proxy server: www.wingate.com

In addition to these excellent third-party products, Windows Server 2008offers a built-in native firewall product known as the Windows Firewall (previ-ously called the Internet Connection Firewall, or ICF), which is enabled andconfigured on the Advanced tab of a connection object. Windows Firewall is a host-based solution that can provide stateful filtering for inbound and out-bound traffic with integrated IPSec protection settings, which may or may notoffer the versatility and capabilities that your production network requires ina firewall. If you want to find out more about Windows Firewall, check theHelp and Support Center and the TechNet article at http://technet.microsoft.com/en-us/network/bb545423.aspx.

Forcing IP Down the Throat of Windows Server 2008

Configuring TCP/IP on Windows Server 2008 can range from simple to com-plex. We review the simple process and discuss a few advanced items. Forcomplex configurations, consult a reference such as the Windows Server2008 Resource Kit or TechNet.

Three basic items are always required for configuring TCP/IP:

� IP address

� Subnet mask

� Default gateway

With just these three items, you can connect a client or server to a network.

Basic configurationThe protocol is configured on the Internet Protocol (TCP/IP) Propertiesdialog box. To access this dialog box, follow these steps:


15_180433 ch10.qxp 2/25/08 7:47 PM Page 187

1. Choose Start➪Control Panel➪Network and Sharing Center.

2. Under Tasks, click Manage Network Connections.

The Network Connections dialog box appears.

3. In the Network Connections dialog box, right-click Local AreaConnection and select Properties.

The Local Area Connection Properties dialog box appears.

4. In the list of installed components, select Internet Protocol (TCP/IP).

Note: If TCP/IP isn’t already installed, follow these steps to install it:

a. In the Local Area Connection Properties dialog box, click Install.

The Select Network Component Type dialog box appears.

b. Select Protocol and then click Add.

The Select Network Protocol dialog box appears.

c. Select Internet Protocol Version 4 (TCP/IP) and then click OK.

d. If prompted, provide a path to the distribution CD.

5. Click Properties to open the Internet Protocol Version 4 (TCP/IP)Properties dialog box, shown in Figure 10-2.

The Internet Protocol (TCP/IP) Properties dialog box offers fields todefine the three IP configuration basics. Note the selection to obtain anIP address automatically. This setting configures the system to requestIP configuration from a Dynamic Host Configuration Protocol (DHCP)server. Because most servers don’t work well using dynamic IPaddresses, you may want to define a static IP address for your WindowsServer 2008 instead of using DHCP. (Or use DHCP to make a manual orstatic address allocation.)

Figure 10-2:The Internet

Protocol(TCP/IP)

Propertiesdialog box.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 188

6. To enter your IP settings, select the Use the Following Address optionin the dialog box and fill in the fields as follows:

• IP Address: Either obtain a public IP address from your ISP or use aprivate IP address from one of the reserved address ranges definedin RFC 1918.

• Subnet Mask: You must also calculate a subnet mask for your net-work. (That is, as long as you aren’t using DHCP.) Here again, youmay obtain this from your ISP if you’re using public IP addresses,or you may calculate your own if you’re using private IP addresses.In most cases where private IP is used, the default subnet mask forthe address class should work without alteration or additional cal-culations, as described in Table 10-3.

• Default Gateway: Finally, you must also provide a default gatewayaddress for your server (unless you just don’t want this system tocommunicate with other hosts outside of its subnet). The defaultgateway should be the address of the router on the local subnet towhich the server is attached that can forward outbound traffic toother network segments. On networks using public IP addresses,this is probably a router, firewall, or proxy server that connects thelocal subnet to other subnets or to the Internet. On networks usingprivate IP addresses, this is usually the machine on which theproxy and NAT software resides, which mediates between the localsubnet and an Internet connection.

7. The Internet Protocol (TCP/IP) Properties dialog box also offers fieldsto configure Domain Name Service (DNS). You can leave these fieldsblank — at least for now.

We talk more about DNS in the “DNS Does the Trick” section later in thischapter.

8. After you define an IP address, a subnet mask, and a default gateway,click OK, and then close all the windows you’ve opened and reboot.

That’s all there is to basic TCP/IP configuration on Windows Server 2008!

Advanced configurationMore complex configurations become necessary when your network is largerand, therefore, more complicated. To deal with such complexity, you have todo some advanced work. Click the Advanced button in the Internet Protocol(TCP/IP) Properties dialog box (we tell you how to open that dialog box inthe preceding section) to reveal the Advanced TCP/IP Settings dialog box,complete with its four tabs (see Figure 10-3). The tabs (along with briefdescriptions) are as follows:


15_180433 ch10.qxp 2/25/08 7:47 PM Page 189

� IP Settings: This tab allows you to define multiple IP address and subnetmask combinations for a single NIC. You can define also additionaldefault gateways, as well as an interface metric, which is used by routers(or the routing service of Windows Server 2008) to determine whichpath to send data to — the path with the lowest metric is used first.

� DNS: This tab allows you to define additional DNS servers — the one ortwo you define on the Internet Protocol (TCP/IP) Properties dialog boxappears here as well, so don’t get confused. In addition, you can specifyhow to search or resolve issues based on DNS server, DNS domain, andDNS parent domains. The two check boxes at the bottom of the DNS taballow you to use dynamic registration to automatically add your server’sIP address and domain name to your local DNS. For more informationabout DNS, please consult the “DNS Does the Trick” section later in thischapter.

� WINS: This tab is where IP addresses for Windows Internet NameService (WINS) servers are defined. WINS servers resolve NetBIOSnames into IP addresses. WINS is convenient for Windows Server 2008networks with multiple servers and network segments. This tab alsooffers you control over how or whether NetBIOS operates over TCP/IP.For more information about WINS, please consult the “Everyone WINSSometimes” section later in this chapter.

� Options: This tab is where you can define alternate settings associatedwith TCP/IP. This tab offers access to only TCP/IP filtering by default, butthe layout of the interface seems to hint that other optional features orservices may be configured here if they’re installed later. TCP/IP filteringallows you to define TCP, User Datagram Protocol (UDP), and protocol

Figure 10-3:The TCP/IP

Settingsdialog box.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 190

ports that will be allowed to function. In other words, it blocks all trafficexcept the traffic for the ports that you choose to allow in. This interfaceis rather limited because it doesn’t tell you which ports you need toallow in. We recommend deploying a proxy or firewall to perform TCP/IPfiltering because these devices are more user-friendly and tell you whichports you need.

Everyone WINS SometimesIn a Microsoft Windows network, TCP/IP hosts can be called by NetBIOSnames instead of IP addresses or domain names. Because NetBIOS names are more or less unique to Microsoft networks, there’s no current standardfor associating NetBIOS names with IP addresses. On a Microsoft networkthat uses TCP/IP as its only networking protocol, it’s essential to be able toresolve NetBIOS names to IP addresses. This is where Windows InternetName Service (WINS) comes in.

A glimpse at WINSBecause resolving NetBIOS names to IP addresses is the key to providingaccess to many of Windows Server 2008’s built-in services and facilities,Microsoft provides two methods to handle this process:

� LMHOSTS: You can use a file named LMHOSTS to create a static tablethat associates specific NetBIOS names with specific IP addresses. (LMstands for LAN Manager and points to the network operating systemthat preceded Windows NT in the Microsoft product world.) Such a filemust be present on every machine to provide the necessary name-to-address resolution capabilities.

For small, simple networks, using LMHOSTS files is an acceptablemethod. On large, complex networks, the busywork involved in maintaining a large number of such files can quickly get out of hand.

� WINS: Larger, more complex networks are where WINS comes into play.WINS runs on Windows Server 2008 machines as a service that automati-cally discovers NetBIOS names and manages a dynamic database thatassociates NetBIOS names with TCP/IP addresses. As networks grow,multiple WINS servers sometimes become necessary to help speed upthe time it takes to handle name resolution requests.

A single WINS server can handle an entire network. On networks thatinclude multiple sites or thousands of users, however, multiple WINSservers can distribute the load involved in providing name resolution,and speed users’ access to NetBIOS-based resources.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 191

WINS has several advantages over LMHOSTS files. For one thing, it’s built ona dynamic database, which means that as networks change and names andaddresses come and go, the database changes as the WINS server detectsnew name and address relationships or finds old names with new addresses.WINS can be especially important on networks where DHCP is used, if clientsalso share files or printers on their machines. Also, WINS is something like aSpanish-English dictionary that’s constantly updated as new words — or inthis case, names — are added.

WINS serversA WINS server maintains a database that maps computer names to theirrespective IP addresses and vice versa. Rather than sending broadcasts foraddress information, which eats excess network bandwidth, a workstationthat needs a NetBIOS name resolved makes a request directly to a designatedWINS server. (That’s the real purpose of the WINS tab in the Advanced TCP/IPSettings dialog box.)

This approach lets workstations take advantage of a well-defined service andobtain address information quickly and efficiently. Also, when workstationswith NetBIOS names log on to the network, they provide information aboutthemselves and their resources to the WINS server. Then, any changes auto-matically appear in the WINS server’s database.

Although WINS is much simpler than DNS, it still isn’t an easy process. Youneed to install WINS as a network service component through the Local AreaConnections applet and corresponding network interfaces. We recommendseeking guidance from the Windows Server 2008 Resource Kit or Technetbefore starting on that journey.

WINS clientsWhen configuring workstations or servers (at least, those servers that don’t play host to the WINS server software) on your network, you providean IP address for one or more WINS servers on your network. When thosemachines boot, they provide the WINS server with their computer names,share names, and IP addresses. The WINS server handles everything else. If aworkstation needs an IP address that corresponds to a NetBIOS name, it asksthe WINS server to supply that information.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 192

NetBIOS over TCP/IPThe bane of many security consultants, NetBIOS over TCP/IP is a piggybackapplication programming interface (API) employed by Windows Server 2008for all of its internal and server-to-server communications. Within a securedenvironment, such as behind firewalls and proxies, NetBIOS over TCP/IP isbeneficial because it supports many of the user-friendly features of WindowsServer 2008 networking. But without adequate security, it’s a gaping hole that devious individuals can exploit to overtake your network or stand alonesystem. The WINS tab offers you the ability to disable NetBIOS over TCP/IPon the current system (meaning NetBIOS will not be transmitted over network links from this computer) or allow it to mimic its DHCP server. (If the DHCP server disables NetBIOS, this system will as well.) You shouldconsider disabling NetBIOS over TCP/IP only if all systems on the network are Windows 2000, Windows XP, or Windows 2003 and no application or service on the network requires NetBIOS to function. In other words, you’llneed to live with NetBIOS for a bit longer.

DNS Does the TrickOne way to simplify TCP/IP host identification is to use Fully QualifiedDomain Names (FQDNs) instead of IP addresses. An FQDN is the type of nameused to identify resources on the Internet to make access easier for humans(such as www.microsoft.com). Resolving domain names and FQDNs to IPaddresses is a crucial service on TCP/IP networks in general and especiallyon the Internet, where hundreds of millions of names and addresses can befound. This is where the Domain Name Service — sometimes called theDomain Naming Service or Domain Name System, but always abbreviated as DNS — comes into play.

As with NetBIOS names and IP addresses, the association between FQDNsand IP addresses can also be maintained in two ways:

� HOSTS file: You can create a HOSTS file on each system. The HOSTS filemaintains a local table that associates specific FQDNs with specific IPaddresses. When such associations change, the HOSTS file must beupdated manually and copied to all machines on a network.

HOSTS files aren’t suited for interaction with large IP-based networks,especially the Internet. This explains why HOSTS files are mostly relicsof an earlier, simpler era of IP networking. Except as a fallback in caseaccess to DNS fails, no one uses HOSTS files anymore.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 193

� DNS: Access to a DNS server allows network machines to request nameresolution services from that server instead of maintaining name-to-address associations themselves. Although DNS servers must be configured manually, a DNS server can handle the name resolutionneeds of an entire network with ease. DNS servers can also communi-cate with one another, so a name resolution request that the local servercan’t handle can be passed up the FQDN name hierarchy until it reachesa server that can resolve the name into an address or indicate that thename is invalid.

The Internet includes tens of thousands of DNS servers. ISPs manage many ofthese DNS servers; others fall under the control of special top-level domainauthorities. To stake out an Internet presence, you must obtain a uniqueFQDN through the InterNIC (or let your ISP do it for you). After you obtainthis name, it’s associated with a special root IP address in some DNS server(probably at your ISP, unless you decide to set up a DNS server of your own).

Whether to DNSUnless you manage a large, complex network, chances are better than aver-age that you’ll work with someone else’s DNS server — probably your ISP’s —rather than managing your own. However, if you have a large network withmore than 1,000 computers, or if your network spans multiple sites using private wide-area links, a DNS server may be just the thing to help you stakeout the right type of Internet presence.

One unique feature of Windows Server 2003 is that it automatically installsthree services on the first server of a domain: Active Directory, DHCP, andDNS. Although you don’t actually have to employ DHCP and DNS, they’re still installed by default. Installing these services is therefore a breeze. (Somuch so that the Configure Your Server Wizard does it for you automatically.)The real headaches come when you try to configure DNS (or DHCP, for thatmatter).

The deans of DNSIf you think you may be interested in setting up a DNS server, you need toconsult a technical resource, such as the Windows Server 2008 Resource Kit or TechNet. We also highly recommend DNS on Windows Server 2003, abook by Matt Larson, Cricket Liu, and Robbie Allen (published by O’Reilly


15_180433 ch10.qxp 2/25/08 7:47 PM Page 194

& Associates), as the ultimate resource for using Windows 2003 as a DNSserver. Even though the title says Windows 2003, this is also a great resourcefor Windows Server 2008 because DNS is almost exactly the same. Paul Albitzand Cricket Liu also wrote a general DNS book called DNS and BIND, now inits fifth edition (also published by O’Reilly) that is widely regarded as thebest general reference on DNS. Both of these books should be updated orrevised soon to encompass new material for Windows Server 2008.

DHCP: IP Addressing AutomationDHCP, the Dynamic Host Configuration Protocol, is used to dynamicallyassign IP addresses and other configuration settings to systems as they boot.This allows clients to be configured automatically at startup, thus reducinginstallation administration. DHCP also allows a large group of clients to sharea smaller pool of IP addresses, if only a fraction of those clients needs to beconnected to the Internet at any given time.

What is DHCP?DHCP is a service that Windows Server 2008 can deliver. In other words, aWindows Server 2008 can run DHCP server software to manage IP addressesand configuration information for just about any type of TCP/IP client. In fact,it can even perform this role in a completely stripped-down way if WindowsServer 2008 is installed as Server Core with additional service roles.

DHCP manages IP address distribution using leases. When a new system configured to use DHCP comes online and requests configuration data, an IPaddress is leased to that system. (Each lease lasts three days by default.)When the duration of the lease is half expired, the client can request a leaserenewal for another three days. If that request is denied or goes unanswered,the renewal request is repeated when 87.5 percent and 100 percent of thelease duration has expired. If a lease expires and isn’t renewed, the clientcan’t access the network until it obtains a new IP address lease. You can initi-ate manual lease renewals or releases by executing ipconfig /renew oripconfig /release at the Windows Server 2008 command prompt.

You can view the current state of IP configuration using the ipconfig com-mand. Issuing the ipconfig /all|more command at the command promptdisplays all of a machine’s IP configuration information, one screen at a time.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 195

Is DHCP in your future?We can think of two profound reasons why DHCP is a godsend to WindowsServer 2008 administrators who need to use it:

� DHCP enables you to manage an entire collection of IP addresses in oneplace, on a single server, with little effort beyond the initial configurationof the address pool (the range of addresses that DHCP will be calledupon to manage). In the old days (before DHCP), managing IP addressesusually required walking from machine to machine on a far too frequentbasis.

� DHCP automates delivery of IP addresses and configuration information(including subnet mask and the default gateway addresses) to end-usermachines. This makes it astonishingly easy to set up IP clients and tohandle configuration changes when they must occur.

To configure IP on a new client, all an end user (or you) must do inWindows Server 2008, Windows Server 2003, Windows NT, or Windows9x is click the single option in the Internet Protocol (TCP/IP) Propertiesdialog box that reads, Obtain an IP Address Automatically. DHCP doesthe rest!

When configuration changes occur, these changes are automaticallyintroduced when IP leases are renewed. You can even cancel all existingleases and force clients to renew their leases whenever major renumber-ing or configuration changes require immediate updates to their IP con-figurations.


Enough TCP/IP to choke a hippoIf this chapter whets your appetite for TCP/IP,you can obtain more details and informationfrom the following great resources:

� Windows Server 2008 TCP/IP Protocols andServices, by Joseph Davies (published byMicrosoft Press)

� The TCP/IP Guide, by Charles Kozierok(published by No Starch Press; check out the complete online version at www.tcpguide.com.)

� Internetworking with TCP/IP, Volumes I, II,and III, by Douglas E. Comer, David L.

Stevens, and Michael Evangelista (pub-lished by Prentice Hall) in various editionsfrom 2nd through 5th

� TCP/IP For Dummies, 5th Edition, byCandace Leiden, Marshall Wilensky, andScott Bradner (published by WileyPublishing)

If that’s still not enough, one of your authorspulled together a more comprehensive TCP/IPbibliography for NetPerformance.com. Check it out at www.netperformance.com/reading_tcpip.aspx.

15_180433 ch10.qxp 2/25/08 7:47 PM Page 196

The ultimate reason for using DHCP is that it makes your job much easier.DHCP is recommended for all networks that use TCP/IP with ten or moreclients. The first Windows Server 2008 in a domain has DHCP installed automatically, but you still need to enable and configure it properly before itwill do you any good. So, if you think you may be interested in setting up aDHCP server, consult a technical resource, such as the Windows Server 2008Resource Kit or TechNet, for all the details of installation and configuration.

Ironing Out ProblemsProblems that occur on TCP/IP networks are almost always associated withincorrect configurations. The wrong IP address, subnet mask, default gate-way, DNS server, WINS server, or DHCP server can bring a system, if not anentire network, to its knees. Therefore, you need to take extra caution todouble-check your settings and changes before putting them into effect.

If you connect to an ISP, you should contact the ISP’s technical support per-sonnel early to eliminate as much wheel-spinning as possible. You may dis-cover the problem isn’t on your end, but theirs. If so, your only recourse is towait it out, and then complain. If problems occur too often for your comfort,take your business elsewhere.

Windows Server 2008 includes a few TCP/IP tools that you can employ to helptrack down problems. We already mentioned ipconfig; here are the others:

� ping: This tool tests the communications path between your system andanother remote system. If a PING returns, you know the link is traversaland the remote system is online. If the PING times out, either the link isdown or the remote system is offline.

� tracert: This tool reveals the hops (systems encountered) between yoursystem and a remote system. The results inform you whether your traceroute packets are getting through and at what system a failure is occurring.

� route: This tool is used to view and modify the routing table of a multi-homed system.

� netstat: This tool displays information about the status of the currentTCP/IP connections.

� nslookup: This tool displays DNS information that helps you manageand troubleshoot your DNS server.

� telnet: This tool is used to establish a text-based terminal emulationwith a remote system. Telnet gives you access to a remote system as ifyou were sitting at its keyboard. Windows Server 2003 doesn’t includean inbound Telnet server.

Complete details on these tools are included in the Windows 2008 help files,the Windows Server 2008 Resource Kit, and TechNet.


15_180433 ch10.qxp 2/25/08 7:47 PM Page 197


15_180433 ch10.qxp 2/25/08 7:47 PM Page 198

Part IIIRunning Your

Network

16_180433 pp03.qxp 2/25/08 7:48 PM Page 199

In this part . . .

After Windows Server 2008 is up and running, the realfun — namely, maintaining the server and network

you’ve so laboriously constructed — begins. Or at least,so goes the conventional wisdom. In a very real sense,therefore, Part III begins where Part II leaves off.

First, there’s managing the users (and their groups) whowill work on your network and use your server. Then, it’son to how to set up and handle NTFS and share permis-sions, with a heaping order of file systems and relatedtopics on the side. Once you have data and users to pro-tect, backing up your system is no longer an option — it’s a downright necessity — so it’s the next topic on oursystems-management agenda. Part III closes out with anexercise in positive paranoia, where you find out aboutcomputer and network security in a discussion thatcovers the bases from physical security all the way up tohow to build a solid password.

Thus, Part III covers all the key topics involved in manag-ing a Windows Server 2008–based network to prepare you to live with one of your own (or to work on someoneelse’s). Use these chapters to establish a systematic routine — not only will your users thank you, but you’llalso save yourself some time and effort!

Remember this: Maintenance activities and costs usuallyrepresent 90 percent of any computer system’s life cycle.That’s why establishing a solid maintenance routine andsticking to it religiously are the keys to running a success-ful network. Do yourself a favor and don’t learn this lessonthe hard way. . . .

16_180433 pp03.qxp 2/25/08 7:48 PM Page 200

Chapter 11

Managing Users with ActiveDirectory Users and Computers

In This Chapter� Defining user account properties

� Creating new user accounts and groups

� Managing user accounts

� Understanding groups

� Assigning profiles

� Governing activities with policies

� Solving problems

User accounts are indispensable elements in the Windows Server 2008environment. They’re central management and control tools for the

operating system to authenticate users and manage access to the resourceson a local system and in the domain and forest as well. If you don’t have a defined user account on a Windows Server 2008 stand-alone system or aWindows Server 2008 domain, you can’t gain access to that system or toavailable resources in the forest. This chapter looks at managing domain user accounts and policies through the Active Directory Users andComputers console.

User Accounts Have PropertiesComputers are typically used by more than one person. Even systems thatworkers use exclusively on their desks allow system administrators to log onlocally. If these systems have computer accounts in the domain, it’s possiblefor other users with domain accounts to log on to those systems as well. Thecomputer distinguishes between one person and another by employing asecurity device called the user account object. Each user on a computer or anetwork has a unique user account that contains details about the user, suchas his or her rights and restrictions to access resources and more.

17_180433 ch11.qxp 2/25/08 7:48 PM Page 201

A Windows Server 2008 domain-based user account contains, is linked to, oris associated with the following items:

� Password security: User accounts are protected by passwords so thatonly authorized persons can gain access to the systems.

� Permissions: Permissions are the access privileges granted to a useraccount. These include group memberships and user-specific settings toaccess resources.

� Identification: A user account identifies a person to the computer systemand the network.

� User rights: A user right is a high-level privilege that can be granted tousers or groups to define or limit their actions on a computer system.

� Roaming: You can define user accounts so that a user can log on to any system that is a member of a domain by using a domain user account(certain users may be able to log on to local accounts in certain situations), a Remote Access Service (RAS), or a gateway.

� Environment layout: Profiles are user-specific and store informationabout the layout, desktop, and user environment in general, unless theyare specifically restricted through the use of mandatory profiles. Youcan define profiles so that they follow the user account no matter wherethe user gains access on the network.

� Auditing: Windows Server 2008 can track access and usage by domainuser accounts if that level of auditing has been enabled in the domain.

Access to Windows Server 2008 requires that users successfully authenticatethemselves with a domain user account. This means that when a user withthe proper permission level (not everyone has permission to log on locally toall systems in a domain) sits down at a Windows Server 2008 system, he orshe can log on at the local machine with a local account (called an interactivelogon) by pressing Ctrl+Alt+Delete to start the logon process. Then the usermust provide a valid username and password. He or she may also log on to adomain user account in the same manner if the server is a member of thedomain. After the system verifies this information, the user is granted access.

When the user is finished, he or she can log out and leave the system availablefor the next user to log on.

With Windows Server 2008 installed, three user accounts are automaticallycreated by default on stand-alone (non-domain-member) systems:

� The Administrator account is used to configure the system initially andto create other user accounts.

� The Guest account is a quick method to grant low-level access to anyuser — but is disabled by default.

202 Part III: Running Your Network

17_180433 ch11.qxp 2/25/08 7:48 PM Page 202

� The HelpAssistant, often named Support_<random characters>, is theprimary account used for Remote Assistance sessions. Remote DesktopHelp Session Manager services manage this account, which is also disabled by default.

Administrators rule!The Administrator account is the primary means by which you initially con-figure Windows Server 2008. It’s also the most powerful local account on theWindows Server 2008 system; therefore, you should make sure that the pass-word for the Administrator account is complex and secret. The Administratoraccount has full-control access to almost everything in Windows Server 2008(the exceptions are a few system processes that the Administrator doesn’town and therefore doesn’t have access to), such as managing user accounts,manipulating shares, and granting access privileges.

The Administrator account boasts the following features:

� You can’t delete it.

� You can lock it out or disable it.

� You can (and should) rename it. (Right-click the account and chooseRename.)

� Although defining a blank password on a local Administrator account isallowed, it’s actively discouraged as a bad security practice. In certainsituations, some services don’t function properly if you don’t provide apassword. Therefore, you should provide a valid, complex password forthis account.

Renaming this account is a good security practice. Would-be hackers (that is,people who want to gain unauthorized access to your system) need only twobits of information to gain access to your system: a user account name and apassword. Unless you rename this account, they already have half of whatthey need to gain access to the most powerful account on your system. Thatends up being the only thing they need if you don’t define a password for this account!

Guests can wear out their welcomeThe Guest account is the second default account created by Windows Server2008. You can use this account as a temporary public-access method. It hasminimal access rights and restricted privileges to resources.

The Guest account boasts the following features:

203Chapter 11: Managing Users with Active Directory Users and Computers

17_180433 ch11.qxp 2/25/08 7:48 PM Page 203

� You can’t delete it.

� You can disable it and lock it out. (It’s disabled by default.)

� You can rename it.

� It can have a blank password. (It has a blank password by default.)

� Changes to the guest environment aren’t retained by this account. (That is, the user profile is mandatory because user changes to the environment aren’t retained.)

The Guest account can be a security hole. Good security practices suggestthat you keep this account disabled, rename it, and assign it a valid password.

Creating Active Directory AccountsCreating accounts in Active Directory for users to log on to the domain andforest to access resources is a common and simple task. You use the ActiveDirectory Users and Computers console (see Figure 11-1) in Windows Server2008 to create and manage domain user accounts and domain groups.

Creating user accounts isn’t difficult, but you need to pay attention to lots ofdetails. First, we walk you through creating a quick-and-dirty user account.Then, we talk about all the fine-tuning you can perform on this account:

1. To get to Active Directory Users and Computers, choose Start➪AllPrograms➪Administrative Tools➪Active Directory Users andComputers.

2. In the console tree, click the folder that corresponds to the domain ororganizational unit to which you want to assign this new account.

You see all the default settings for this domain or organizational unit,including user accounts. If you’re assigning the user account to theUsers container, when you initially click it, you see the Administratorand Guest accounts, plus other accounts that Windows Server 2008 setup, depending on the services you installed.

An organizational unit is an Active Directory container that holds otherorganizational units, computers, user accounts, and groups. For moreinformation on organizational units, see Chapter 7.

3. In the details pane, right-click the group and then choose Properties.

4. On the Members tab, click Add.

(You can also right-click the container and choose New➪User from thepop-up menu.) This reveals the Create New Object – User Wizard, shownin Figure 11-2. When you create a user object from scratch, you shouldpay attention to every detail of that account.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 204

5. Fill in the following information:

• First Name; Last Name; Initial: Type the user’s first name, last name,and middle initial, if applicable.

• Full Name: This is how the name will be displayed on the system.Notice that the Setup Wizard has entered the name for you. Youcan replace what’s filled in for you and arrange the display of thefull name any way you like. Usually, the first name is displayed,then the last name.

• User Logon Name: Type the information you want the user to use to validate himself or herself to the network. You should create acompany standard such as last name, first initial, or somethingsimilar. (See the “What’s in a name?” sidebar later in this chapter.)

Figure 11-2:Use the New

Object –User Wizard

to create auser object.

Figure 11-1:The Active

DirectoryUsers and

Computersconsole is

the primarytool thatadminis-

trators useto create

domainusers,

accounts,and groups.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 205

Pre–Windows 2000, the user logon name is the name given to theuser for pre–Windows 2000 systems. Notice that the wizard fills inthis information for you. You won’t need to change this unlessyou’re a tech head.

6. Click the Next button to continue setting up this new user accountobject.

In the next screen, you’ll enter information about the password.

7. Type a password for this account and then confirm that password tothe system by retyping it.

8. Configure the password settings using the options described in the following list:

• User Must Change Password at Next Logon: Forces users to changetheir passwords.

• User Cannot Change Password: Prevents users from changing theirpasswords.

• Password Never Expires: Exempts this account from the policy thatcan require a password change after a specified time period.

• Account Is Disabled: Ensures that this account can’t be used to gainaccess to the system. Chances are, if you’re creating a new user,you don’t want to select this option because you want the user tobe able to access the system.

9. Click the Next button when you’re finished marking your selections.

You’re presented with a confirmation screen about the choices you’ve made.

10. Click the Finish button if everything is correct. If you think of some-thing else that needs to be added, click the Back button to add it now.

If you need to add data later, you can edit the properties of the accountas well.

You’ve just created a new domain user account object, and you’ll see thatobject in the Active Directory Users and Computers console window. In Step5, we mention the way the name is displayed, and that’s how you should seethe object’s name listed.

If you right-click the new object and then click Properties, you’ll see severaltabs, including General, Address, Account, Profile, and many more. You canuse these tabs to enter more information about the new user account object,such as the groups to which it belongs. You may see other tabs, dependingon the services installed on your Windows Server 2008 system and whetherthe server is a stand-alone server, a domain member server, or a domain controller.

In the following sections, individually we go through some of the default tabsof a member server so that you’ll know what to fill in and why.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 206


What’s in a name?Windows Server 2008 doesn’t actually use oreven care about the human-friendly nameassigned to a user account. Instead, WindowsServer 2008 uses a Security Identifier, or SID, torecognize and track user accounts. But, becauseyou’re human, you should employ human-friendly names whenever possible. This reducesstress and makes user management easier.

What we’re trying to say is that you shouldemploy a naming convention. A naming conven-tion is just a predetermined method for creatingnames for users, computers, resources, andother objects. The two key features of a namingconvention are the capability to always createnew names and that the names created providedescriptive information about the named object.

Small networks rarely need complex or even pre-defined naming conventions. However, when thenumber of named items on your networkexceeds about 100 or so, you may find it increas-ingly difficult to remember who or what jackal,herbie, and 8675309 actually are. Therefore,starting a small network with a naming conven-tion can ease the growth process later.

Windows Server 2008 doesn’t impose or suggesta naming scheme. It just lets you define namesas you please. If you decide to use a naming con-vention, you need to be diligent in enforcing andemploying that scheme.

The naming convention you choose or createdoesn’t matter; as long as it always provides newnames and those names indicate informationabout the objects they label. Here are some general naming-convention rules:

� The names need to be consistent across allelement types (user names, computernames, share names, directory names, andso on).

� The names should be easy to understand. (Ifthey’re too complex or difficult, they won’t be used.)

� The names should somehow identify thetypes of objects.

You can create new names by mimicking thestructure of existing names. Here are someexamples of partial naming conventions that youcan customize for your network:

� Create user names by combining the firstand last name of a user (for example,JohnSmith or JSmith).

� Create user names by combining the lastname of a user and a department code (forexample, SmithAcct and SmithSales5). WithActive Directory, this type of design is lessneeded because, in many cases, the layoutof your OU structure reflects the organiza-tional areas of your company.

� Create computer names by combining theuser name, a computer type code, and roomnumber (for example, SmithW98 and JS102).

� Create group names by combining resourcedescriptor, location, project, or departmentnames (for example, Tower12, Planning2,and Conference12).

� Create share or directory names by com-bining the content or purpose descriptorwith a group or project name (for example,Documents, SalesDocs, and AcctSheets).

� Create printer names by combining themodel type, location, department, and groupnames (for example, HP5Sales, CLJRm202,and HP4Acct).

As you can see, each of these suggested partialnaming schemes always creates new namesand provides enough information about thenamed object to determine where it is andwhether it’s a user account, computer, share, or printer.

17_180433 ch11.qxp 2/25/08 7:48 PM Page 207

General tabWhen you click the General tab, you can type more information about theaccount, such as a description (additional location information, what the account is used for, or whatever you want), office address, telephonenumber, Web page address, and e-mail address. The more information youprovide at this time, the more you’ll appreciate it later when you need thisinformation. The description information shows up in the Active DirectoryUsers and Computers console if you have the detail view selected. (Choose View➪Detail to see it.)

Address tabClick the Address tab to type information about the user’s physical mailingaddress. Although this information isn’t required, it’s good to have handy.

Account tabClick the Account tab to reveal the logon name, logon name for pre–Windows2000 systems, logon hours, workstation restrictions (which can be set with the Log On To button), and account expiration information. Most of the options in this tab are self-explanatory — except the logon hours andexpiration information, which are described as follows:

� Logon hours: Click the Logon Hours button to reveal the Logon Hoursdialog box. (See Figure 11-3.) In this dialog box, you can define the hoursduring which a user can gain entry to the system. If this user accountattempts to log on during off hours, the logon fails. If the user is alreadyonline when the hours expire, the user remains online but can’t estab-lish any new network connections. (That is, the user can’t send a docu-ment to a printer or open a new file.) You define hours by selecting theday and hour sections and selecting the Logon Permitted or LogonDenied option. This option is mostly used for contractors who areallowed to use the system only during regular working hours.

� Account expiration: Select the Account Expires End Of option to define when (if ever) the account expires. This is useful for contract ortemporary employees who have been granted access to the system for a specified period of time.

Profile tabClick the Profile tab in the Properties dialog box to reveal current informationabout the user account’s profile. (See Figure 11-4.) In this dialog box, you candefine the following:


17_180433 ch11.qxp 2/25/08 7:48 PM Page 208

� User Profile Path: The location where the roaming profile for this user isstored. The roaming profile makes a user’s working environment avail-able to him of her on any workstation on the network. (See the “GivingYour Users Nice Profiles” section later in this chapter.)

� Logon Script: The filename of the script file to be executed at logon.Logon scripts are usually batch files that define paths, set environmentalvariables, map drives, or execute applications. You typically use logonscripts only in Windows Server 2008 for compatibility with older serversor DOS applications or to automatically configure settings for NetWareserver access.

� Home directory: The default storage location for this profile as a localpath or as a mapped drive letter to a network drive.

Figure 11-4:Examples of

a UserProfile and

its profilepath, logon

scriptlocation,

and HomeFolder

designation.

Figure 11-3:Access can

be set bytime of dayand day of

week.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 209

Telephones tabClick the Telephones tab in the Properties dialog box to enter every imagin-able phone number a person can have these days, such as pager, fax, andmobile. There’s even a Comments section where you can add whatever you want.

Organization tabClick the Organization tab in the Properties dialog box to enter informationabout the user’s title in the organization and the names of the people towhom the person reports to directly. If your organization is prone to restructuring, you may opt to leave this tab blank.

Member Of tabClicking the Member Of tab in the Properties dialog box reveals informationabout the account’s group membership status. This is where you can add auser account object to a group or remove a user account object from a group.(See Figure 11-5.) If you want to add this object to another group, click theAdd button and select the group. As we discuss later in this chapter, group membership determines the resources to which you grant a useraccount access.

Figure 11-5:Group

member-ships are

definedhere.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 210

Dial-in tabClick the Dial-in tab in the Properties dialog box to enable or disable theaccount from dialing into the network. This is also where you can set any call-back options. Callback means that, as users dial into the network, the serverdials back a preset telephone number to verify that the users are in fact whothey say they are. This number can be preset or set by the user. Callback isoften used in security situations, but dial back doesn’t work particularly wellwhen a user is on the road and staying in different hotels, which all have different telephone numbers. Use this option with caution.

Getting Pushy with UsersAt some point during your management lifetime, you may need to disable,rename, or delete user accounts. You can do all this using Active DirectoryUsers and Computers, as described in the following list:

� Disabling a user account is when you turn off the account so that itcan’t be used to gain entry to the system. To disable an account, high-light the user account and then choose Action➪Disable Account. Whenyou create a user using the Setup Wizard (see the “Creating ActiveDirectory Accounts” section earlier in this chapter), you can select theAccount Disabled check box, and the user account is disabled until you enable it.

� Renaming a user account changes the human-friendly name of theaccount. Just select the user account and then choose Action➪Rename.A dialog box prompts you for the new name. Note that a name changedoesn’t change the Security Identifier (SID) of the account.

� Deleting a user account removes the user account from the system.Highlight the user account you want to delete and then chooseAction➪Delete. You’re prompted to confirm the deletion. When youdelete an account, it’s gone for good. The SID used by the deletedaccount is never reused. Creating a new account with the same configu-ration as the deleted account still results in a different account becausea new SID is used; therefore, as far as the accounts database is concerned, it’s a new account.

When users leave your organization, you need to decide whether you want toretain their old user accounts to use for their replacements. This is your bestoption because it retains all department and group settings, but it does meanthat you have to change all the personal information so that it relates to thenew user.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 211

What about Groups?A group is a collection of users who need similar levels of access to aresource. Groups are the primary means by which Windows Server 2008domain controllers grant user access to resources.

Groups simplify the administration process by reducing the number of relationships that you have to manage. Instead of managing how each individ-ual user relates to each resource, you need to manage only how the smallernumber of groups relate to resources and to which groups each user belongs.This reduces the workload by 40 to 90 percent. Windows Server 2008 has aBest Practices section under its Help guide that encourages you to usegroups in as many situations as you can.

Understanding group scopesA group is nothing more than a named collection of users. There are two different types of groups, and each type can have any one of three scopes(described next):

� Security groups are used to assign user rights to objects and resourcesin Active Directory. A secondary function of a security group is that itcan also be used to send e-mails to all the members of the group.

� Distribution groups are used only for sending e-mail to all the membersof the group. Distribution groups can’t be used to define permissions toresources and objects in Active Directory.

Both group types can have any of the following scopes:

� Global groups exist on a domain level. They are present on every com-puter throughout a domain and are managed by any Active Directory for Users and Computers tool hosted by Windows Server 2008. When thedomain is running in Windows 2000 native mode or Windows Server2008 mode, members of global groups can include accounts and globalgroups from the same domain. When the domain is running in Windows2000 mixed mode, members of global groups can include accounts fromthe same domain.

� Domain local groups exist only on a single computer. They aren’t present throughout a domain. When the domain is running in Windows2000 native mode or Windows Server 2008 mode, members of domainlocal groups can include accounts, global groups, and universal groupsfrom any domain, as well as domain local groups from the same domain.When the domain is running in Windows 2000 mixed mode, members of domain local groups can include accounts and global groups from any domain.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 212

� Universal groups extend beyond the domain to all domains in the cur-rent forest. When the domain is running in Windows 2000 native modeor Windows server 2008 mode, members of universal groups can includeaccounts, global groups, and universal groups from any domain. Whenthe domain is running in Windows 2000 mixed mode, security groupswith a universal scope can’t be created. When the domain is running inWindows 2000 native mode or Windows Server 2008 mode, universalgroups can be created and used to house other groups, such as globalgroups, to facilitate the assignment of permissions to resources in anydomain in the forest.

The three group scopes simplify the user-to-resource relationship. Usinggroups greatly reduces the management overhead for a medium or large net-work, but it may seem a bit complicated for a small network. You can usegroups like this:

� Local groups are assigned access levels to resources.

� Users are assigned membership to a global group or a universal group.

� A global group or a universal group is assigned as a member of a localgroup.

Therefore, users are granted access to resources by means of their global oruniversal group membership, and, in turn, that group’s membership to a localgroup has access to the resource. Whew, now it’s time for a drink!

Here are a few important items to keep in mind about groups:

� A user can be a member of multiple global or universal groups.

� A global or universal group can be a member of multiple local groups.

� A resource can have multiple local groups assigned access to it. Usingmultiple local groups, you can define multiple levels of access to aresource from read/print to change/manage to full control.

Although it’s possible to add user accounts directly to a universal group, bestpractices dictate that you should add them only to global groups and addglobal groups to universal groups. When membership changes in a universalgroup, such as the addition or removal of user accounts or groups, thechange must be replicated throughout the forest through the global catalogservers. Adding and removing user accounts often from universal groups willcause a great deal of forest-wide replication traffic on the network.

If you add a global group to a universal group, user accounts and nestedglobal groups can be added to and removed from the global group withoutcausing a single replication. This is because the membership of the universalgroup hasn’t changed. It still has the same global group or groups in it. Onlythe membership of the global group changes when you add or remove useraccounts or nested global groups.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 213

Although you can assign a user direct membership to a local group or evendirect access to a resource, doing so subverts the neat little scheme thatMicrosoft developed to simplify your life. So, just follow this prescription,and you’ll be vacationing on the beach in no time.

Whereas any other group can be a member of a local group, a local groupcan’t be a member of any other group when the domain is running in mixedmode. Domain local groups can be placed in other domain local groups fromthe same domain when the domain is running in Windows 2000 native modeor Windows Server 2008 mode.

Creating and managing groupsYou manage groups on Windows Server 2008 using Active Directory Usersand Computers. To create a group using Active Directory Users andComputers, follow these steps:

1. In the console tree, right-click the folder to which you want to add thegroup (Active Directory Users and Computers/domain node/folder)and choose New➪Group.

The New Object – Group dialog box appears. (Refer to Figure 11-5.)

2. Type the new group name.

The group name for pre–Windows Server 2008 machines is filled in automatically. By default, the name that you type is also entered as thepre–Windows 2000 name of the new group.

3. In Group Scope, select one of the options: Domain Local, Global, orUniversal.

Universal groups are powerful because they extend to all domains in thecurrent forest.

4. Select the group type: Security or Distribution.

You’ll almost never use the Distribution group setting because it doesnot contain the access control list (ACL) information necessary for security purposes. The Distribution group setting is used mainly fore-mail operations, where you’d want to send an e-mail to a collectivegroup of users and don’t need security attached to it. We recommendalways using the Security type.

5. Click OK.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 214

After the group object is created, you can double-click the object to add moreattributes to it. You see several new tabs called General, Members, MemberOf, and Managed By. These tabs are fairly self-explanatory, but here’s a littlebit about them:

� General: This tab contains the same information you filled in when youcreated the group, such as group name, description, e-mail, group scope,and group type.

� Members: This tab shows the users who are members of the group. Thisis where you add users to the group.

� Member Of: This is where you can add this group to other groups.

� Managed By: This tab allows you to specify who manages the group.You can provide information about the user, such as name, address, andphone number.

Using built-in groupsYou don’t have to create your own groups: Windows Server 2008 domain con-trollers have several built-in security domain local groups that you can use.The groups are in the Builtin container, by default. The following lists just afew of them (the default members are in parentheses):

� Administrators (administrator, domain admin, Enterprise admin)

� Guests (domain guests, guests)

� Pre–Windows 2000 Compatible Access (anonymous logon, everyone)

� Users (domain users, authenticated users)

Note that your screen may show that these built-in groups have more members than we’ve listed, depending on which services are installed onyour server. For example, if you’ve installed Internet Information Services(IIS), you’ll see more members in the built-in Guests group.

These default, built-in security domain local groups have both predefinedbuilt-in capabilities (see Figure 11-6) and default user rights. You can modifythe user rights of these groups (see this chapter’s section titled “UserAccounts Have Properties”), but you can’t change the built-in capabilities.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 215

Windows Server 2008 domain controllers include the following additionalsecurity groups as well, which can be found in the Users container by default:

� Cert Publishers (domain local)

� Debugger Users (domain local)

� HelpServicesGroup (domain local)

� RAS and IAS Servers (domain local)

� Telnet Clients (domain local)

� Domain Admins (global)

� Domain Computers (global)

� Domain Controllers (global)

� Domain Guests (global)

� Domain Users (global)

� Group Policy Creator Owners (global)

� Enterprise Admins (universal)

� Schema Admins (universal)

Other groups may exist, such as DnsAdmins, which would be created if thedomain controller hosted DNS services. For the most part, however, the preceding list is inclusive for the forest root domain controller.

Windows Server 2008 has three more groups that it classifies as special identities: Everyone, Network, and Interactive. These are built-in groups thatyou can modify only indirectly. The following list describes these groups:

Figure 11-6:The built-in

securitygroups ofWindows

Server 2008.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 216

� Everyone: This group, for example, may reflect a membership of 20 useraccounts until you add another account to the domain. The user is automatically added to the Everyone group with no intervention by you.Therefore, although you didn’t specifically make the new account amember of the Everyone group, you did affect its membership. Guestsare also added to the Everyone group, so be careful and modify theguest account to restrict access to the network. (See the “Guests canwear out their welcome” section earlier in this chapter for more information.)

� Network: This group is for those who use the network as a means toaccess resources. When you give users access to resources across thenetwork, they’re automatically added to the Network group.

� Interactive: This group represents users who access resources by logging on locally.

Again, you can’t change who is a member of these groups in a direct sense.However, when you set permissions to resources, these groups will appear,and you should modify the access levels of these groups to specificresources. For example, when giving users access to the root level of avolume, you can restrict access to the Everyone group so those users haveonly Read permissions.

You should create groups that make sense to your organizational pattern,method of operations, or just common sense. Groups should be meaningful,and their names should reflect their purposes. Naming a group Sales isn’tvery useful, but a name such as SalesPrintOnly is very informative. Youshould create groups so that users are divided by purpose, access levels,tasks, departments, or anything else you consider important. Remember thatgroups exist for your benefit, so try to get the most out of them.

Giving Your Users Nice ProfilesA user profile is the collection of desktop, environment, network, and othersettings that define and control the look, feel, and operation of the worksta-tion or member server. Windows Server 2008 records profile informationautomatically for each user. However, unless you make them roaming profiles(which you find out about later in this chapter), these profiles are accessibleonly locally.

A user profile records lots of information about the user’s environment andactivities, including the following:

� Start menu configuration

� Screensaver and wallpaper settings


17_180433 ch11.qxp 2/25/08 7:48 PM Page 217

� List of recently accessed documents

� Favorites list from Internet Explorer

� Network mapped drives

� Installed network printers

� Desktop layout

In addition, a profile includes a compressed copy of the HKEY_CURRENT_USER Registry key in a file named NTUSER.DAT. To find definitions for all thevarious Registry keys, you can use the Registry Tools utility in the WindowsServer 2008 Resource Kit and access REGENTRY.HLP.

You can turn profiles into roaming profiles. (Note that a nonroaming profile is called a local profile.) A roaming profile is a profile stored on a network-accessible drive; therefore, no matter which workstation is used to gain access,the user’s profile is available. As a result, the user’s working environment fol-lows him or her from one computer to the next. (You can also set the profile sothat the user can’t customize his or her roaming profile, which is called amandatory user profile. See the last paragraph of this section for details.)

To create and enable a roaming profile for a specific user, follow these steps:

1. On the domain controller, start Active Directory Users andComputers. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Users and Computers.)

2. In the console tree, right-click the domain or organizational unit forwhich you want to set a policy and choose Properties.

3. Click the Group Policy tab.

4. If you want to modify an existing group policy, select it in the GroupPolicy Object Links portion of the window and choose the appropriateoption.

5. Click the Copy To button.

6. Define a network accessible path for the new storage location for the profile.

For example, \\domain controller\users\<username>, wheredomain controller is the name of the domain controller, users is theshare name, and username is the name of the user account that is tiedto the profile.

7. On the domain controller (or any domain member that has theADMINPAK.MSI tools properly installed), launch the Active DirectoryUsers and Computers. (Choose Start➪Programs➪AdministrativeDirectory Users and Computers.)

8. Right-click the user object you just copied to the domain controllerand then choose Properties.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 218

9. Click the Profile tab.

10. In the Profile Path box in the User Profile section, type the same pathfrom Step 6.

11. Click OK.

The profile for the selected user is now a roaming profile. After a user has aroaming profile, the local profile is no longer used. It remains on the system,but the user account is now associated with the roaming profile.

By default, each time a user logs out, all changes made to his or her profileduring that logon session (no matter which workstation he or she uses) aresaved to the profile on the domain controller, unless you specifically madethis a mandatory profile. The next time the user logs on, the work environ-ment is exactly the same as when he or she logged off. Local and roamingprofiles should be used only by a single user. If multiple users need to use a single profile, you should employ a mandatory profile.

A mandatory profile doesn’t save customized or personal changes to the profile when a user logs out. Instead, the profile retains the same configura-tion at all times. This type of profile is used mainly when system or networkadministrators want to control or limit the end users’ ability to modify their profiles beyond a standard one that may be employed throughout theenterprise.

You create a mandatory profile by simply renaming the NTUSER.DAT file toNTUSER.MAN in either a local or roaming profile. After this change is made,the profile remains consistent no matter who uses it. You can always reversethis process by renaming the NTUSER.MAN file back to NTUSER.DAT.

Where You Find Profiles, Policies Are Never Far Away

Group policies are the collections of rules governing, controlling, or watchingover the activities of users. You can set group policies based on sites,domains, or organizational units. In Windows NT Server 4.0, this was knownas the System Policy Editor. In Windows Server 2008 (as it was in Windows2003 and 2000), you set these policies using the group policy and its snap-inextensions, such as Administrative Templates, Security Settings, and Scripts.

Administering a group policyOne way to administer (manage or modify) the group policy from ActiveDirectory Users and Computers is to do the following:


17_180433 ch11.qxp 2/25/08 7:48 PM Page 219

1. Start Active Directory Users and Computers. (Choose Start➪ControlPanel➪Administrative Tools➪Active Directory Users and Computers.)

2. In the console tree, right-click the domain or organizational unit forwhich you want to set a policy and choose Properties.

3. Click the Group Policy tab.

4. If you want to modify an existing group policy, select it in the GroupPolicy Object Links portion of the window and choose the appropriateoption.

The following options are available on the Group Policy tab. (We list them inalphabetical order.)

� Add: This opens the Add Group Policy Object Link dialog box. If youwant to add an existing group policy object to the domain or organiza-tional unit you’re viewing, you do so under this option.

� Block Policy Inheritance: Select this option to prevent the directoryobject you choose from inheriting its group policy from its parentobject.

� Delete: Use this option if you want to remove the group policy object.

� Edit: Allows you to make changes to the selected group policy.

� New: Allows you to create a new group policy object.

� Properties: Opens the Group Policy Properties dialog box. You can find all sites, organizational units, and domains using the selected policy. In addition, you can set permissions on a user or group basis to this object.

In addition, there’s an Options button. When you click it, the followingoptions are available:

� Disabled: This temporarily disables the group policy from the directoryobject.

� No Override: This is similar to a veto. If this is selected, child directo-ries must inherit group policy from their parent directory. Not even theBlock Policy Inheritance setting can keep this group policy from beingforced after No Override is set.

If more than one group policy object is listed, you can use the Up and Downbuttons to change the group policy order. Policies are enforced from thebottom of the list to the top. The one at the top is enforced last and thustakes priority over any of the others in the list or any of the others processedat higher points in the inheritance scheme, such as at the parent OU ordomain or site levels.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 220

Understanding how group policies are processedA group policy is processed in the following manner:

1. All Windows 2000, XP Professional, and 2003/2008 systems have onelocal group policy object, and it’s processed first when the system isstarted. In a domain scenario, because the subsequent group policyobjects are likely to overwrite these settings, this group policy objectwill probably have the least amount of effect on the local system whenit’s in a domain. On a stand-alone Windows system, it’s usually the onlygroup policy object processed; in this situation, it will have a largeeffect, if not the only effect.

2. The next set of group policy settings that are processed are the settings for all and any site group policy objects. These group policyobjects are processed synchronously. (The domain administrator setsthe order in which these will execute.) They’re processed from thebottom of the list to the top, with the one at the top enforced last at this level.

3. After all site group policy objects are run, the next set of group policyobjects to be deployed are the ones set at the domain level. These tooare executed synchronously, processed from the bottom of the list tothe top, with the one at the top enforced last in the event that there ismore than one set to be deployed.

4. The final set of group policy objects to be executed are any set at theorganizational unit level. All group policy objects linked to the upper-most (parent) organizational unit in the inheritance tree are executedfirst, followed by those in the next highest level, and so on, until youreach the local organizational unit, which is executed last. At each organizational unit in the hierarchy, there may be several group policies.They are processed in a specific order set by the domain administratorand are executed synchronously. This means that all group policyobjects in the highest point of the inheritance tree are executed first inthe specific order set by the domain administrator, and then all grouppolicy objects at the next point of the inheritance tree are executed inthe specific order set by the domain administrator, and so on all the waydown to the local organizational unit.

Two rules apply when there are conflicting settings. At any particular grouppolicy object, the computer setting prevails over the user configuration set-ting. For example, if GPO3 at the bottom of the list set at the domain level hasa computer configuration setting set to do one thing and the same grouppolicy object user section is set to do the opposite, the settings outlined inthe computer configuration are enabled. The second rule is that anythingexecuted next takes precedence. Following along with the preceding example,if the next group policy object set at the domain level (GPO2) has anothersetting that conflicts with a previous one, it takes precedence.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 221

Here is an example:

1. The local system GPO says to remove Run from the Start menu. (It’s removed.)

2. GPO2 at the domain level (bottom of the list) says to remove Run fromthe Start menu. (It’s removed.) GPO1 at the domain level (top of the list)says to enable Run on the Start menu. (It’s added.)

3. GPO2 at the parent OU level (bottom of the list) says to enable Run onthe Start menu. (It’s added.) GPO1 at the parent OU level (top of the list)says to enable Run on the Start menu. (It’s added.)

4. GPO3 at the local OU level (bottom of the list) says to enable Run on theStart menu. (It’s added.) GPO2 at the local OU level (middle of the list)says to enable Run on the Start menu. (It’s added.) GPO1 at the local OUlevel (top of the list) says to remove Run from the Start menu. (It’sremoved.)

You’re probably asking, “What does all this mean?” The example policy youcreate in the next section guides you through the setup.

Creating a group policySuppose you want to set a group policy to apply to all users in the domain.The policy will prevent the users from changing their passwords. Followthese steps to implement this new group policy:

1. Open the Group Policy Management Console. (Choose Start➪AllPrograms➪Accessories➪Run, and then type gpmc.msc and press Enter.)

2. In the console tree, select the forest name, expand the Domainsbranch, and then select the domain where you want to implement thepolicy.

3. Right-click the domain name and choose Create a GPO in This Domainand Link It Here.

The New GPO dialog box appears.

4. Specify a name for the new GPO and then click OK.

5. In the right window pane, right-click the new policy name and chooseEdit.

6. Navigate your way down through the left window pane to UserConfiguration➪Administrative Templates➪System➪Ctrl+Alt+DelOptions, as shown in Figure 11-7.

7. Double-click the Remove Change Password object in the right pane.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 222

8. In the Setting tab, select Enabled, click the Apply button, and thenclick OK.

This new policy affects all current and future user accounts in the domainbecause it’s created and linked to the domain container. However, it doesn’taffect those accounts that are logged on. The effect takes place after thoseusers log out and then log back on to the system.

Notice when you opened the Group Policy tab and clicked the Edit button,you saw information relating to computer configuration and also to user con-figuration. If there’s a conflict between the two, the computer configurationtakes precedence in Windows Server 2008.

The preceding steps allow you to add a group policy and then edit the policyusing the administrative templates that were visible to you. Other templatesare available but simply not loaded. To add another template for use, go back to the left window pane under User Configuration and right-clickAdministrative Templates. Next, select Add/Remove Templates to display a list of policies. Click the Add button to view other available templates.

You’ll find a lot of useful policies already preconfigured for you in ComputerConfiguration➪Windows Settings➪Security Settings. For example, there’s atemplate for setting a policy to force unique passwords for accounts.

If you’re concerned about security, you should employ an accounts policythat requires regular password changes (a new password every 30 days orso) and locks out accounts that fail to log on successfully after three tries.

Figure 11-7:The

Ctrl+Alt+Deloptions that

can be setwith the

UserConfigu-

rationAdminis-

trativeTemplate.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 223

Auditing for troubleTo look at the access control information for any given group policy, you canlook at which locations are associated with the policy, who has permissionsin the policy, and how it’s audited (which is what we cover in this section).All this is accomplished by clicking the Properties button in the Group Policydialog box.

Auditing information on the network allows you to track activities throughoutyour network. This process can help you locate configuration problems,security breaches, improper activity, and misuse of the system. To enableauditing on your local system, do the following:

1. Open the Group Policy Object Editor. (Choose Start➪All Programs➪Accessories➪Run, and then type gpmc.msc.)

2. In the console tree, click Audit Policy.

3. Navigate the left results pane to select an event category that youwant to change.

4. Double-click the option you want to audit.

The Security Policy Setting dialog box appears.

5. Choose to audit either Success or Failure attempts (or both).

(This dialog box is displayed so that the administrator can choose toaudit successful attempts, failed attempts, or both.)

6. After making your selection, click OK.

You can add the Local Group Policy Object snap-in by opening MicrosoftManagement Console (MMC). Click Start and then in the Start Search text,type mmc. Press Enter when the appropriate entry on the Start menu is highlighted. From the File menu, click Add/Remove Snap-In to open the Addor Remove Snap-Ins dialog box. Under Available Snap-Ins, choose LocalGroup Policy Object and click Add to include it with selected snap-ins; thenspecify GPO properties and click Finish.

It’s beneficial to audit failed attempts for certain objects, such as logonattempts and object access. This can warn you of an impending intruder.

The information obtained through auditing is recorded in the Event Viewer’sSecurity Log. Launch the Event Viewer from the Administrative Tools menuand select Security Log. The right pane displays a list of the items you choseto audit. It’s a good idea to check this log regularly, and then clear the log soit doesn’t fill up.

Another point to remember is that this example uses the local securitypolicy. If a domain policy is different, it takes precedence. For example, if youset to log all successes and all failures for all local security policy elementsand the domain security policy is set to Not Configured, no logging is enabledbecause the domain security policy is enabled after the local security policy.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 224

When Access Problems Loom . . .User accounts govern who can access a computer system and what level ofaccess that person enjoys. Sometimes, though, users run into problems thatprevent the normal operation of the logon process.

Most logon problems center on an incorrectly typed password. Therefore,users should take the time to type their passwords correctly. This is goodadvice only if their accounts haven’t been locked out because of failed logonattempts. If your user’s account is locked out, it must be re-enabled. This canoccur in one of two ways. If the lockout policy is set with a duration, youneed to only wait until the time expires and try again. If the lockout policyrequires administrative intervention, you have to reset that user’s account.

When a user can’t log on or communication with the network seems sporadic,check the following:

� Make sure that the network interface card (NIC) and other physical network connections are solid.

� On any Windows system — Windows NT Workstation, Windows 2000,Windows XP Professional, Windows Server 2003, and Windows Server2008 — you must ensure that the computer is a member of the domainto log on to the domain with an account listed in Active Directory toaccess network resources.

� If using the Internet Protocol (IP) and a statically assigned IP address,check the configuration settings to ensure that the computer is using the correct IP address, subnet mask, and default gateway, and be surethat it has the proper DNS settings for the network.

� If your network employs Dynamic Host Configuration Protocol (DHCP)to assign IP settings from a small pool to a larger group of computers,you may be stuck as the last person standing when the music stops andall available connection addresses are in use. You can verify whetherthis would have happened by going to a command prompt, typingIPCONFIG /ALL, and reviewing the settings. If you have an IP addressthat falls in the 169.254.0.1 through 169.254.255.254 Automatic PrivateInternet Protocol Address (APIPA) range, it’s possible that the DHCPserver ran out of available addresses to assign, or your system had trouble communicating with the DHCP server.

If users can log on but can’t access all the resources that they think theyshould be able to access, you need to verify several items:

� Group memberships

� Physical network connections to resource hosts (That is, check that a server’s network cable isn’t disconnected.)

� Presence of group policies restricting the user’s action


17_180433 ch11.qxp 2/25/08 7:48 PM Page 225

If everything we mention checks out, you may have a fairly esoteric problem.Consult a Microsoft resource (online or through TechNet) to search for asolution. Yeah, that’s weak advice, but it’s the most valuable thing we can tellyou. The Microsoft information database is expansive — if someone else hashad the same problem, you can probably find information posted about itsresolution.


17_180433 ch11.qxp 2/25/08 7:48 PM Page 226

Chapter 12

Managing Shares, Permissions,and More

In This Chapter� Exploring objects, rights, and permissions

� Understanding how permissions apply to NTFS objects

� Considering FAT and FAT32 partitions

� Understanding how permissions apply to file shares

� Determining actual permissions

� Making access controls work

In large part, working with Windows Server 2008 means using the WindowsNT File System, usually called NTFS. This file system’s advanced features

include attribute-level access control lists (ACLs) for objects, so you can control not only which users or groups can access a volume, directory, orfile, but also which operations users or groups can perform against it.

Transactional NTFS and the kernel transactional technology calledTransactional Registry are enhanced in Windows Server 2008. These transac-tions are necessary to preserve file system integrity and handle error conditions reliably.

Windows 2008 also supports FAT and FAT32 file systems (FAT stands for FileAllocation Table), which don’t include object-level access controls. However,FAT and FAT32 do support so-called file shares (shared directories with thefiles they contain) that support access controls. Understanding how shareswork and how NTFS permissions combine with share permissions are majorconcerns in this chapter. We show how to figure out what a user can (andcan’t) do to files based on his or her account permissions, the groups towhich he or she belongs, and the underlying defaults that apply to WindowsServer 2008 itself.

Chapter 8 discusses this information as it applies to Active Directory.

18_180433 ch12.qxp 2/25/08 7:49 PM Page 227

More about Objects, Rights, and Permissions

Before you can revel in the details of the rights and permissions that apply toWindows Server 2008, you should ponder some technical terminology. That’swhy we take a brief detour to dictionary-ville — right here, right now.

An object lessonWindows Server 2008 treats all user-accessible system resources — includingusers, groups, files, directories, printers, and processes — as objects. Theterm object has special meaning to programmers and tech-heads: This termrefers to a named collection of attributes and values, plus a named collectionof methods, which Microsoft calls services.

For example, a file object has a variety of attributes that you already knowabout, if you’ve spent any time at all around computers: Files have names,types, lengths, owners, plus creation and modification dates. For an object,each attribute also has an associated value; therefore, the attributes andvalues of an object that is a file might be as follows:

� Name: BCD (boot configuration data)

� Type: Boot configuration and boot environment settings

� Contents: Information on how to boot Windows Server 2008 (also usedin Windows Vista; resides in $HOMEDRIVE\Boot)

� Size: About 32KB

Attributes identify individual objects of some specific type — in this case, atype of file — and define what they contain, where they’re located, and so on.

However, it may not be so readily apparent why methods or services areimportant for objects. If you examine a file object, you can see that its meth-ods describe operations that you would want to apply to a file. Therefore, the methods or services that apply to file objects include things such as read,write, execute, delete, rename, and other typical file operations. In short,methods define the operations that can be applied to a particular object.Among other things, this makes objects pretty much self-defining becausethey include in their attributes complete descriptions of themselves andinclude in their methods or services complete descriptions of what you cando to them. Other object types have different associated methods or servicesthat reflect the objects’ capabilities and the data that the objects contain.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 228

When you examine the attributes for specific objects in Windows Server 2008, things start getting pretty interesting. Every single attribute of everysingle object has an ACL (this is sometimes pronounced ackle, to rhyme withcackle). ACLs identify those individual user accounts or groups that mayaccess a particular object (or one of its attributes) and also indicate whichservices each user or group may apply to that object (or one of its attributes).Administrators use ACLs to control access to objects (and, logically, theirattributes), giving themselves free rein to troubleshoot objects while limitingordinary users’ abilities to accidentally (or purposefully) harm the system.

When is a file not an object?Windows Server 2008 uses objects for most everything in its operating environment that users can access. In fact, NTFS volumes, directories, andfiles are Windows Server 2008 objects with associated attributes and a set of well-defined services that may be applied to those objects. However,because older FAT file systems (and the newer Windows 98 FAT32) don’tinclude built-in support for ACLs, FAT and FAT32 files are not objects.Therefore, even though FAT and FAT32 volumes, directories, and files stillhave attributes similar to those for NTFS files (namely, name, type, creationdate, modification date, and so forth), FAT and FAT32 volumes, directories,and files aren’t Windows Server 2008 objects, per se. The lack of built-in support for ACLs explains why FAT volumes and their contents are inherentlyinsecure (because normal permissions don’t apply to them).

More important, this also explains why default logon behavior for WindowsServer 2008 is to deny everyone but server operators, administrators,backup operators, and printer operators the right to log on locally. That’sbecause anyone who can access a FAT or FAT32 volume can do anything theywant to it. By denying ordinary users the right to log on to a Windows Server2008 at its keyboard and requiring them to log on only through the network,Windows Server 2008 can control access to FAT and FAT32 volumes throughshares. Shares function as Windows Server 2008 objects and therefore havebuilt-in access controls.

Users have rights; objects have permissionsIn Windows Server 2008, standard usage is to speak of user rights and objectpermissions. Because object permissions are rather vague, permissions arecommonly used to refer to a specific object class, such as file permissionsor printer permissions.

229Chapter 12: Managing Shares, Permissions, and More

18_180433 ch12.qxp 2/25/08 7:49 PM Page 229

A user’s rights define what he or she can do to objects (or their attributes) inthe Windows Server 2008 environment. A user obtains rights to objects inone of three ways:

� Those rights are explicitly assigned to an individual user account.

� Those rights are assigned to the groups to which the user belongs. Thisis where users can be granted privileges to perform specific tasks, suchas backing up files and directories.

� Those rights are assigned through the Group Policy window. To accessthat window, open one of the Active Directory Administrative tools, right-click a site, an organizational unit, a domain, or a local computer. ChooseProperties, click the Group Policy tab, and then click Edit. You edit userrights in the Group Policy window under Computer Configuration➪Windows Settings➪Security Settings➪Local Policies➪User RightsAssignment.

When a user logs on to a Windows Server 2008 domain (or a stand-alonesystem), a special key called an access token is generated. The access tokenrepresents the user’s explicit individual rights and the groups to which theuser belongs. It takes some time to generate an access token, which is onereason why logging on to Windows Server 2008 isn’t instantaneous.

Every object (and its attributes) in the Windows Server 2008 environmentincludes an attribute called permissions (which is found on the Security tab of each object). This permissions attribute includes an ACL that identifies allusers and groups allowed to access the object’s attributes as well as servicesthat each user or group may apply to the object’s attributes.

Each time a user requests an object, Windows Server 2008 uses a built-infacility called the Security Reference Monitor (SRM) to check the user’saccess token against the permissions for that object. If the SRM finds that theuser has permission, Windows Server 2008 fulfills the request; otherwise, theuser is denied access. It’s possible for users to have access to specific attrib-utes of objects, but not other attributes. For example, Nancy may be grantedaccess to view part of JoAnne’s account information, such as her telephonenumber, but not JoAnne’s street address.

Of Windows Server 2008 NTFS and Permissions

NTFS is a file system just as FAT and FAT32 (the 32-bit File Allocation Tableused in Windows 98) are file systems. The difference between NTFS and theseother file systems is that NTFS is object-oriented. Unlike FAT and FAT32, NTFSsees everything in NTFS partitions as objects of some specific type that have


18_180433 ch12.qxp 2/25/08 7:49 PM Page 230

attributes and to which methods and services can be applied. The benefit of using NTFS is that you can set permissions for the volumes, files, anddirectories that use NTFS.

In fact, NTFS recognizes three types of objects:

� Volumes: The NTFS-formatted drive partitions that show up as diskdrive icons. A volume object may contain files and directories.

� Directories: Named containers for files that occur in a volume or insome other directory. In fact, Windows Server 2008 allows you to nestdirectories however deep you want, which means that you can put asmany directories within directories within directories as you like.(Although nested directories reach a point of diminishing returns fairlyquickly.)

� Files: Named containers for data that include type, size, dates, and content among their attributes. Files are where information actuallyresides in NTFS.

To examine permissions for any object in NTFS, right-click that object inWindows Explorer, My Computer, or Active Directory Sites and Services. Inthe pop-up menu, select Properties and then click the Security tab. At thebottom of the Security dialog box, you see the Permissions section (as shownin Figure 12-1). From here, you can investigate a list of available permissionsfor this object (volume E on our hard drive, in this case) through the list thatappears in the Permissions section in the lower half of the screen.

Figure 12-1:The

Permissionslist showsyou all the

permissionsthat apply to

the object.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 231

NTFS permissionsThe Permissions list shows permissions for files, volumes, and directoryobjects in NTFS. NTFS file, volume, and directory permissions are similar. Theonly real differences are that container objects offer child inheritance optionsand a few permissions apply only to containers. We use the generic term container to refer to volumes and directories — in other words, objects thatact as parents to child objects.

Windows Server 2008 has a slightly different method of permission assign-ments and permission restrictions than what is used in Windows NT, but the same method as used in Windows 2000. First and foremost, it doesn’thave a No Access permission. Instead, all permissions are either granted orrestricted using an Allow or Deny setting. Selecting Deny for all possible permissions for an NTFS object under Windows Server 2008 is the same asthe No Access setting in Windows NT.

The standard or normal NTFS permissions are as follows:

� Read grants users the ability to view and access the contents of thefolder or file.

� Write (folders) grants users the ability to create new folders and fileswithin the folder.

� Write (files) grants users the ability to change the contents of a file andto alter its attributes.


Taking ownership of objects in NTFSAn owner of an object can always modify its per-missions, no matter which permissions arealready set for that object. This permission exists,at least in part, to sidestep the Deny trap that can occur when an object’s owner mistakenlysets permissions for a general group, such as Everyone or Authenticated Users. (These two default groups are discussed further inChapter 14.)

If the Everyone group is assigned Deny for allpermissions of an object, that group includes

anyone who may want to access that object.Unless an administrator or the object’s creator(its owner, by default) resets permissions to beless restrictive, no one can access that object —or any objects that it contains.

Full Control is important because it grants theobject’s owner the power to change access tothat object and to change services that apply tothe object. In essence, Full Control is your get-out-of-jail-free card!

18_180433 ch12.qxp 2/25/08 7:49 PM Page 232

� List Folder Contents (folders only) grants users the ability to see thenames of the contents of a folder.

� Read & Execute (folders) grants users the ability to view and access thecontents of the folder or file and to execute files.

� Read & Execute (files) grants users the ability to view and execute files.

� Modify (folders) grants users the ability to delete a folder and its contents, to create new files and folders within a folder, and to view andaccess the contents of a folder.

� Modify (files) grants users the ability to delete a file, change the contentsof a file, alter a file’s attributes, and to view and access a file.

� Full Control (folders) grants users unrestricted access to all of the functions of files and folders.

� Full Control (files) grants users unrestricted access to all of the functionsof files.

Advanced permissionsAdvanced permissions are detailed controls that can be used to create specialaccess rights when the standard complement of permissions don’t applyproperly. Advanced controls are accessed by clicking the Advanced buttonon the Permissions tab of an NTFS object. This reveals the Advanced SecuritySettings dialog box, which has four tabs:

� The Permissions tab is used to define special-detail permissions.

� The Auditing tab is used to define the auditing scheme.

� The Owner tab is used to view the current owner or take ownership ofan object.

� The Effective Permissions tab displays the permissions a user or grouphas on the current object, based on all applicable permission settings.

On the Permissions tab, users or groups can be added and their specific permissions defined. The possible selections are

� Full Control

� Traverse Folder/Execute File

� List Folder/Read Data

� Read Attributes

� Read Extended Attributes


18_180433 ch12.qxp 2/25/08 7:49 PM Page 233

� Create Files/Write Data

� Create Folders/Append Data

� Write Attributes

� Write Extended Attributes

� Delete

� Read Permissions

� Change Permissions

� Take Ownership

If you really must dig up all the details on special access rights, please consult Microsoft’s TechNet CD and the Windows Server 2008 Resource Kit.

FAT and FAT32 Have No PermissionsBecause the FAT and FAT32 file systems that Windows Server 2008 supportsalong with NTFS include no mechanisms for associating attributes with files and directories, files stored in a FAT or FAT32-formatted volume have no associated permissions, either. Anybody who’s allowed to log on to aWindows Server 2008 Server with a FAT or FAT32 partition can access anyfiles in that partition. This helps explain why you may want to restrict who’sallowed to work on your servers, as well as why you should lock them up.

The reason that FAT partitions are still around is that a dual-boot machinethat runs Windows 9x or some non-Windows operating systems (such as Linux or some version of UNIX) as well as Windows Server 2008 mustinclude a FAT partition from which the other operating system can boot. Thismight be a FAT32 partition for Windows Server 98, but we recommend FATbecause Windows Server 2008 can read that partition when it’s running —and more operating systems can read FAT partitions than any other kind offile system.

Only Windows Server 2008, Windows Vista, Windows Server 2003, WindowsXP, Windows 2000, and Windows NT can read NTFS partitions, so be carefulwhen reformatting partitions on dual- or multi-boot machines! Plus, WindowsServer 2008, Windows Vista, Windows Server 2003, Windows XP, andWindows 2000 all use NTFS version 5. Windows NT uses NTFS version 4 bydefault, but if you apply Service Pack 4 or later, Windows NT is upgraded to include NTFS version 5.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 234

Share PermissionsWhen users access files on a Windows Server 2008 machine, they usually do so across the network, especially if you restrict who’s allowed to log on to the server and limit physical access to the machine. Therefore, most userswho access files on a Windows Server 2008 do so through a network share,which is a directory on a Windows Server 2008 that you’ve shared to the network for public access.

Shares are also objects for Windows Server 2008, so permissions do apply.The list of applicable permissions consists of the following entries, managedusing the same Allow/Deny method as for direct NTFS object permissions:

� Read permits viewing of files in the share, loading of files across the network, and program execution.

� Change includes all Read permissions, plus creating, deleting, or changing directories and files within the share.

� Full Control includes all Change permissions plus changing permissionsfor and taking ownership of the share.

No Special Access exists for shares. Table 12-1 summarizes the basic permissions for shares.

Table 12-1 Share Permissions and Basic PermissionsFile Read Write Execute Delete Change

Read X X

Change X X X X

Full Control X X X X X

If you want to expose the contents of a FAT partition on a Windows Server2008 to network users, doing so through a share automatically gives yousome degree of access control, which is yet another advantage to using a network!

To create a share, right-click a directory in My Computer or Windows Server2008 Explorer, and then choose share. The Properties window for that direc-tory appears with the Sharing tab selected, as shown in Figure 12-2.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 235

Click the Share button to open the new File Sharing window, which offersthese options:

� User name (input box): You can manually type, select from a list, orsearch the network for applicable user names for this share.

� Name (list box): By default, you see an entry for the file or directory’soriginal owner usually accompanied by an entry for the system adminis-trator. This represents the active list of users who may utilize sharedresources according to specified permissions.

� Permission Level: The Permission Level grants encapsulated rights —privileges defined by certain roles — to specified user names. Defaultdefinitions include reader (view-only), contributor (view all files, add,change, and delete new files), and co-owner (view, change, add, or deleteall files). You may also remove entries here.

A more comprehensive method of managing shares and storage volumes is tonavigate to Start➪Administrative Tools➪Share and Storage Management.This management application gives you a centralized perspective over alldrives and drive shares on the system with more advanced properties andsettings dialog boxes than the right-click context menu provides. Take anyusual safety precautions when sharing files and data, ensuring that onlyappropriately shared data resides in such directories at all times.

Figure 12-2:The Sharingtab provideseasy accessto a share’sname, user

limits,permissions,and caching

settings.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 236

Calculating Actual PermissionsUsers have rights not only as a result of the NTFS permissions explicitlyassigned to specific files or directories for their accounts but also by virtue of the groups to which they belong. Because NTFS shares exist, figuring out permissions can get pretty interesting when you have to combine NTFS andshare permissions for a particular file or directory while also taking user settings and group memberships into account. To help you figure out what’swhat, we give you a recipe for calculation, plus a few rules to use, and thenwe walk you through an example to show you how things work.

The rules of calculationTo figure out which permissions apply to a share on an NTFS object, youmust first determine which permissions apply to the NTFS object by itself.This could include inheritance features from parent to child object. (SeeChapter 8 for a refresher on inheritance.) Next, you must determine the permissions that apply to the share. (The rules for this process appear in thefollowing section.) Whichever of the two results is more restrictive wins anddefines the actual permissions that apply to the file or directory in question.This process isn’t difficult, but it may produce some counter-intuitive results.

You must apply these rules exactly as they’re stated, or we can’t guaranteethe results. Here goes:

1. Determine the permissions on the object.

2. Determine the permissions on the share.

3. Compare the permissions between the share and the object.

The more restrictive permission is the permission that applies.

Whenever you or your users can’t obtain access to a particular file-systemobject through a share (or NTFS by itself, for that matter), always checkgroup memberships and their associated permissions.

Figure this!The formal explanation may not completely illuminate the process of figuringpermissions, so this section provides a couple of examples.

Betty belongs to the Marketing Dept, Domain Users, and Film Critics groups.She wants to delete the file in an NTFS share named Rosebud.doc. Can shedo it? Table 12-2 shows her individual and group permissions.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 237

Table 12-2 Betty’s NTFS and Share PermissionsType Membership Name Permission

NTFS User Account BettyB Read

Group Marketing Dept Read

Group Domain Users Change

Group Film Critics Change

Share User Account BettyB Read

Group Marketing Dept Read

Group Domain Users Read

Group Film Critics Read

On the NTFS side, Read plus Change equals Change; on the share side, Read isthe only game in town. The most restrictive of Read and Change is Read. Readdoesn’t allow Betty to delete, so Betty’s out of luck! Maybe next time. . . .

Let the OS do it for youNow that you know how to figure permissions manually, we show you ashortcut. In fact, we already told you about it earlier in this chapter. If youdisplay the Advanced Properties dialog box from an object’s Security tab,you can access the Effective Permissions tab. By selecting a specific user orgroup, this tab displays its effective permissions, as shown in Figure 12-3.

Figure 12-3:The

EffectivePermissionstab from the

AdvancedSecuritySettings

dialog box.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 238

But What about Access Control with Active Directory Objects?

We talk about objects and access control, but with Active Directory, you mustbe aware of two more features: delegated access control and property-basedinheritance. The following sections describe these two features in general;turn to Chapter 8 for the gory details.

Delegation of access controlYou can enable others to manage portions of your network for you — otherwise, you’d be working 24/7! You can slice up the management by wayof the domain, or you can give someone else rights to manage the organiza-tional unit for you, depending on the functions you want that person to perform. This is accomplished through the Delegate Administration Wizard,which is in the Active Directory Users and Computers snap-in. (ChooseStart➪Administrative Tools➪Active Directory Users and Computers, click a domain, and then choose Delegate Control from the Action menu.)

An organizational unit is an Active Directory container that holds other organizational units, computers, users, and groups. For more information on organizational units, see Chapter 7.

Before you can give others access to manage Active Directory objects, youmust first have the proper permissions to delegate that object authority. Inaddition, you must give the proper permissions to others to manage thatobject. For more information on this, see Chapter 8.

Property-based inheritanceJust as you might inherit money from a relative, the lower levels of your network structure can inherit access control information set at a higher levelof the structure. Inheritance, as its name suggests, always flows in a down-ward direction. We want to touch briefly on two methods of property-basedinheritance. (For more information and detail on how this inheritance works,see Chapter 8.)

The first method is called dynamic inheritance. As the word dynamic suggests,the access control information for this type of inheritance is calculated on thefly every time a read/write to the object is requested. This results in some per-formance overhead (such as extra traffic) that should be considered on a busynetwork. (Extra traffic on a busy network can slow things down significantly.)


18_180433 ch12.qxp 2/25/08 7:49 PM Page 239

The second method is called the static model, also referred to as Create TimeInheritance. This means that the access control information for an object isset when the object is created by looking at the parent object permissionsand combining those permissions with the new object permissions. Unlessthe new permissions are set at a higher level, the access control doesn’tchange for the object. Therefore, when a request is made to read or write to the object, no recalculation is necessary to determine the permissions.However, if permissions are changed at a higher level, these changes arepropagated downward to change permissions or reset combined permissionsat lower levels — similar to dominoes toppling over. The only time there’s a recalculation is when the permissions at higher levels are set and the propagation is in progress.


18_180433 ch12.qxp 2/25/08 7:49 PM Page 240

Chapter 13

Preparing for That Rainy DayIn This Chapter� Understanding why backing up data is important

� Planning your backups

� Looking at Windows Server 2008 backup methods

� Finding out how to restore from a backup

� Discovering third-party alternatives

� Using the Backup Operators group

A backup recovery scheme for your data is important because of the critical business applications and functions that typically reside on net-

works. Without a plan to protect data, disruptions to an entire organization’sdata and workflow process can occur, resulting in loss of revenue.

Unfortunately, many organizations place little emphasis on protecting theirdata until some actual loss occurs. In this chapter, you find out about different methods for protecting your organization’s data to prevent losses.

Why Bother Backing Up?Backing up is the process of copying data from one location to another —either manually or unattended. Copying data from one directory on a harddisk to another directory on that same hard disk is effective until the harddisk crashes and both copies of the data become inaccessible. Also, by copy-ing data to the same drive, you neglect to copy any of its security or accountinformation. This means you must re-enter that information manually. Don’tyou think it’s a better idea to back up all files (such as system, application,and user data) to another physical medium (such as a tape, CD/DVD, or otherbackup device) and then rotate that device off-site periodically?

19_180433 ch13.qxp 2/25/08 7:49 PM Page 241

Many organizations place their critical business functions and data on thenetwork, including e-mail, accounting data, payroll, personnel records, andoperations. Loss of just one element of that collection hinders operations,even if it’s just for a short time. Imagine if payroll information disappearedfrom the system and some employees didn’t get paid on time. We wouldn’twant to go there!

Data losses can be as simple as one corrupt file or as complex as the entirecontents of a server’s hard disk becoming unreadable. Organizations canavoid data loss problems almost entirely by backing up on a regular basis.

Considering potential threatsAll kinds of threats pose danger to data. Anything from fires to computerviruses can obliterate data on a network. Planning for each type of disasterhelps secure and restore your organization’s data should that disaster occur.

Data loss on a network can occur in many ways. If you understand the poten-tial threats and plan for them, you can prevent serious damage to your network and loss of data. We urge you to back up your network regularly andto rotate a recent copy off-site.

Here are some potential threats you and your network can encounter:

� Hard disk crash: Even if you’ve built fault tolerance (such as mirroringor duplexing) into a server, don’t expect those methods to always workand recover everything 100 percent. We’ve seen mirrored drives go outof synch without notice until the hard disk crashes. Without backups,you can lose all your data or segments of it. It’s a good idea to complement mirroring and duplexing with regular backups.

� Ungraceful shutdown: Every once in a while, you get a smart-aleckemployee who hits the on/off switch to the server, causing it to shutdown improperly. Most servers today come right back up — but notalways. Shutting the server down in this manner can render its harddisks unreadable. You should put your servers in a secure location awayfrom end users. And don’t forget to back up on a regular basis!

� Viruses: Many organizations connect to the Internet, allowing employeesto download all types of data to the local area network that could intro-duce viruses. Viruses pose a real threat to organizations. One virus canruin an entire computer and render it useless in a short time. If this computer happens to be a server on your network, someone’s going tobe reading the employment classifieds. Installing virus protection soft-ware on the server allows you to check for viruses before they’re storedon the server. Put a backup plan in place that allows you to restore thedata on your network as it was before the introduction of the virus.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 242

� Environmental disasters: We’ve seen many organizations lose dataduring environmental disturbances, such as bad storms. If lightning canzap the electronics in your home, it can do likewise to data on a network.

Some environmental disasters you should plan for include the following:

• Fire: One fire in a building or on a floor can annihilate an entireorganization. If your organization loses everything in a fire, you’llbe the savior if you produce a recent copy of the network storedsafely off-site. If you store backup media on top of your server inthe computer room, however, you’ll be the one who’s pounding the pavement.

• Floods: Placing a computer room, server, or backup equipment inthe basement or first floor of a building is a bad idea, particularlyin flood-prone areas. One flood can obliterate an entire organiza-tion. Even if a flood occurs, you’re safe with backup media off-site — away from the flood zone.

• Hurricanes: Hurricanes bring high winds and rain with them. Don’tput your server or backup equipment in a computer room withoutside windows. You could come back and find everything strewnaround and sopping wet — and have no backup media to restore.

• Temperature: Placing a server or a backup machine in a closedroom lacking proper ventilation can cause problems. Don’t put servers or backup equipment in small rooms with other heat-producing equipment, such as a copier, without forced air cooling.Buildings do shut down A/C systems on weekends and holidays,and heat can kill servers.

Some viruses have a gestation period; therefore, they can be inserted intoyour network but go unnoticed until after a set number of days. We’ve seen disgruntled employees place viruses on networks and then leave a company — 30 days later, a virus appears. Incorporate this thought into yourbackup plan by always backing up on a 30-day rotation scheme. If a virus likethis is introduced onto your network, you can go back at least 30 days inyour backup media to try to restore the network prior to the virus’s introduc-tion. If you have only a week’s worth of backup, all the backups you have contain the virus.

How many backup types are there?The computer world recognizes five types of backup methods, and the sameis true with the Windows Server 2008 backup facility. The five types of backups available in Windows Server 2008 are:

� Normal

� Copy

243Chapter 13: Preparing for That Rainy Day

19_180433 ch13.qxp 2/25/08 7:49 PM Page 243

� Daily

� Differential

� Incremental

Before you can truly understand backup methods, you must understand alittle attribute called the archive bit. Files have attributes, which are the proper-ties of a file. One of the attributes found in Windows Server 2008 is the archivebit. After a file is created or modified, its archive bit is automatically reset by the operating system. This archive bit indicates that the file needs to bebacked up, even if backup software isn’t installed or configured on the com-puter. Backup software looks for this bit to identify the status of files. Think ofthis as a seal on every file on your system. When the operating system, a user,or an application modifies the file, the seal is broken. The backup softwarethen goes through the files and “re-seals” them by backing them up.

NormalThe normal backup copies all selected files and sets the archive bit, whichinforms the backup software that the files have been backed up. This type of backup is performed the first time computer data is backed up. With thistype of backup, only the most recent backup image is needed to restore all files. (See the “Local backup” section, later in this chapter, for more information on normal backups.)

CopyThe copy backup is useful because it doesn’t set the archive bit and, there-fore, doesn’t affect normal and incremental backups. It can be used to copyselected files between scheduled normal or incremental backups. (See the“Incremental” section later in this section for more information.)

DailyThe daily backup copies selected files that were changed the day the backupjob started. A daily backup doesn’t set the archive bit. This backup can beused to copy only those files that were changed on that day, and because thearchive bit isn’t set, the regular backup goes on as usual.

DifferentialLike the copy and daily backups, the differential backup also doesn’t set the archive bit. It copies all files that were created or modified since the last normal or incremental backup. One practice is to use a combinationof normal and differential backups to configure the backup job for the computer. In this combination, a normal backup is performed weekly, and differential backups are performed daily. If this is the backup job used and a restore is being performed, only the last normal and the last differentialimages are required.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 244

IncrementalThe incremental backup is similar to the differential backup in that it backs uponly those files that have been created or modified since the last normal orincremental backup. Unlike differential backups, however, incremental back-ups do set the archive bit, which indicates that the files have been backedup. A combination of normal and incremental backups can be used to config-ure a backup job. In this combination, a normal backup is used once a weekand incremental backups are performed on a daily basis. To restore the filesusing this type of backup combination, the last normal and all incrementalsets are required.

Configuring a backup job to use this combination is fast and utilizes storagespace efficiently because only those files that were modified get backed up.However, it’s important to note that restoration is more difficult and takeslonger compared to a combination of differential and normal backups, simplybecause you have to use a whole set of incremental images. This type ofbackup combination or configuration is ideal for an enterprise in which anAutomated Tape Library (ATL) can be used. Using an ATL, the backup software controls the entire restore operation, including the decision to load the correct tape sequence using its robotic arm.

An ATL is basically a software-controlled backup system in which loading or changing tapes isn’t necessary. A typical ATL system is usually designedaround a container/library, which can hold from just a few tapes to severalhundred, with each tape identified by a unique bar code. Inside the libraryare one or several tape drives to read and write to tape. An ATL system alsoincludes a mechanism responsible for moving the tape to and from the tapedrive. This mechanism can be a robotic arm (in the case of large ATLs) or asimple system similar to those found in a cassette tape recorder. The backupsoftware controls the entire operation by instructing the robotic arm to loada specific tape in a specific tape drive and start the backup or restore job.

Network versus local backupWhen backing up information on a network, you have a choice between performing a network backup or a local backup. In this section, we cover theparticulars of each option.

Network backupNetwork backups are used in large network environments. When you use anetwork backup, a host computer is configured to back up remote computersattached to the host computer through the LAN. In this scenario, data travels


19_180433 ch13.qxp 2/25/08 7:49 PM Page 245

from the remote computer over the network to reach the host computer —the one configured with backup storage. After data is off-loaded from the net-work interface to the computer’s bus, the data is treated as if it were a localbackup. (See “The Windows Server 2008 Backup Facility” section, later in thischapter, to find out how to configure your server to back up a remote computer.)

The transfer rate can be a problem with this type of backup because datamust traverse and share the LAN with regular traffic. It’s more than likely that the LAN is designed around a 10-Mbps Ethernet or a 100-Mbps FastEthernet. In any case, data speed would be greatly reduced, compared to thelocal backup. To deal with this problem and to accommodate the needs of anenterprise in which a large amount of data must be backed up each night, theindustry has developed the storage area network (SAN). In this architecture,all computers and storage device(s) are attached directly to the loop usingeither 1,000 Mbps Gigabit Ethernet (GbE) links or a Fibre Channel ArbitratedLoop (FC-AL), with a bandwidth of 100 Mbps. Furthermore, only computersand the backup device(s) share this bandwidth. Such architecture is expensive, but its benefits for the enterprise more than justify its high cost.

Local backup The local backup configuration consists of a local tape drive attached to orinstalled in the computer by means of an Integrated Drive Electronics (IDE)interface, a Small Computer System Interface (SCSI), or — as is most recentlypopular — Serial ATA (SATA) drives and connections. Local backup is fastbecause when you use these interfaces, backup storage is directly attachedto the computer bus. On some of the new SCSIs, such as the Ultra-640 SCSI,the transfer rate can reach 640 Mbps. It’s more likely that this transfer ratewon’t be achieved, however, because even fast hard drives can achieve only a fraction of that actual wire transfer rate, depending on the drive type. Withtoday’s advances in hardware, it’s possible to get close to 30GB or more perhour with existing SCSI or SATA II gear.

Local backup is relatively inexpensive because it involves the price of onlythe backup storage and its interface (and media, where applicable). Mostcomputers are already configured with extra SATAs or SCSIs that can be usedfor this purpose. One additional cost is the price of a license for the backupsoftware, if third-party software is used. However, Windows Server 2008comes with powerful backup software that’s free!

Understanding the technologyRegardless of whether you choose a network or local backup, and regardlessof how often you decide to back up, you must understand some terminologyand technology used in backup systems and the different methods involved.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 246

Online, nearline, offlineYou hear a lot of buzz about online, nearline, and offline storage options.Choose the method that suits your organization’s retrieval time and effort,depending on how often you find yourself restoring data and how fast youwant data retrieved. Descriptions of these three backup types follow:

� Online: This type of backup is typically performed on your server, usu-ally in the form of a second hard disk that is mirrored or duplexed. Datais readily available to users through their desktops with no interventionfrom you except that you must regularly check the status of this faulttolerance. Drives can go out of synch without notice unless you monitorthe drives manually or through software.

� Nearline: This type of backup is performed on a device attached to thenetwork. A nearline backup requires some work on your part because itusually uses some method unknown to the user, such as compressiontechniques. The data is there, but your users won’t know how to perform functions, such as decompressing the files, to access the data.

� Offline: This type of backup involves devices that include their ownsoftware and hardware and are separate from the server. You need to know how to operate these devices because the users won’t knowhow or might not have the security access to do so. These devices aretypically the slowest because data must go from the server to anotherdevice. Many organizations place these devices on the network backbone and connect them through fiber-optic cable for higher transmission rates.

As you progress downward in the preceding bulleted list, options becomemore expensive, it takes longer for you to retrieve information, and moreinteraction on your part is required. In return, capacity and capabilityincreases dramatically.

What’s in the hardware?Backup systems are composed of backup units, backup media (where applic-able), and software components (oh, and you, the operator). These systemscome in all sizes, shapes, and dollar signs, depending on your needs. In thissection, we describe the most common ones you encounter so you can talkwith your vendor about meeting your network needs.

Backup unitsA backup unit is hardware that can be as simple as a tape device with one slot or a single network-attached storage device, or as complex as a jukeboxplatter system with mechanical arms or an entire storage area network. If youhave low data-storage requirements, a simple backup unit with more capacitythan your server will suffice. These units aren’t terribly expensive and areavailable at local computer stores. Some of these units can be daisy-chainedif you need more space.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 247

If your organization has lots of data to back up, you might consider a jukeboxapproach or a sizable network-attached storage device. A jukebox is a devicethat looks like a little computer tower with a door. Inside, it has several slotsplus a mechanical arm that can insert and move around tapes or CDs. Withthis type of system, you typically can insert a week’s worth of backup tapesand let the system back up unattended. A network-attached storage device isbasically a specialized server with LOTS of hard disks. Its sole function is tostore and retrieve files and disk images upon request.

Backup mediaBackup media means tapes, cartridges, CD-WORMs (write once, read many),erasable CD or DVD discs, diskettes, and more. Any device on which abackup unit stores data becomes the medium. Backup media come in manyshapes and sizes. You want to make sure that you follow the manufacturer’srecommendation for purchasing the right medium for your unit.

Don’t buy video-grade tape cartridges at your local discount store for yourbackup purposes. Purchase data-grade tapes, which cost more but aredesigned for more rugged use.

Backup media come not only in different physical sizes but also in differentcapacities. Some tapes store as much as 800GB of uncompressed data.Erasable CD-ROMs store as much as 700MB in uncompressed mode and up to1GB or more of textual data in compressed mode. Better yet, high-definitionDVD-ROM storage capacities reach upwards of 25GB per disc using raw,uncompressed formatting. Regardless of which unit and medium you select,get plenty of them so you can work on a rotational scheme without continu-ally using the same medium. We’ve seen folks who buy just one tape and usethat tape over and over until it’s time to restore from that tape. And guesswhat, the tape was defective; therefore, there was no backup! Spread outyour backups over multiple tapes to minimize putting all your eggs in onetape basket!

SoftwareYou can use the Windows Server 2008 built-in backup software on a third-party backup device, or you can use the software that comes with the device.We prefer to use third-party software because it’s designed to work with certain manufactured devices, and the drivers are always readily available —and sometimes offer greater flexibility or features over native tools. However,that’s not to say these native backup facilities aren’t worth your time — thereare plenty of compelling reasons why you should use Windows Server 2008Backup, including faster backup technology using Volume Shadow CopyService, simplified restoration and recovery, improved scheduling, backupcapability for applications, support for DVD media, and much more.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 248

One caveat, however small or large, is that you can’t back up to tape inWindows Server 2008 Backup. Be prepared for a bumpy ride if you’ve beenusing ntbackup.exe for all your archival tasks — so much has changed thatconfigurations and interfaces are entirely incompatible. Backup settings willnot be upgraded, images created in ntbackup can’t be recovered in Backup,and you need a separate disk to run scheduled backups. However, you maydownload a copy of ntbackup for Windows Server 2008, but you can utilizeonly legacy ntbackup images — you can’t create new ones. For more details,visit http://go.microsoft.com/fwlink/?LinkId=82917.

Installation of the devices goes much smoother when you use the recom-mended software. Always keep a copy of the backup software off-site in case of a fire or other disaster. If you lose all your equipment, you’ll need toreload this software on another machine before you can restore data. Andthis brings up another new feature to Windows Server 2008 Backup: offsitebackup removal for disaster protection. Now you can save backup data tomultiple participating disks and sites, enabling scheduled backup locationsto automatically seek the next disk in the event a primary selection fails orbecomes inaccessible. Isn’t that nice?

Beep! Beep! Planning BackupsOne of the most important tasks that you can perform is to plan your backup.Some of the best backup systems and methods can still fail, so it’s smart toalways test them first.

Storing backup tapes off-siteIt’s common for companies to store their backup tapes in a fire-proof safe —usually in the computer room where the fire might occur. These safes aregreat for one thing, and one thing only: paper. They’re designed to withstandenough heat so paper doesn’t burn. This heat, however, is more than suffi-cient to melt any tapes that may be stored in them.

For this reason, smarter companies store tapes off-site on a daily, weekly, ormonthly basis, depending on how often data changes. Companies that usedrives instead of removable media often make arrangements with Internetbackup services to copy their backups to a remote site across the wire.Storing data off-site ensures data availability in case of a disaster, such as afire or a flood. If a disaster were to occur, a new system could be installed,and data could be restored.

There are companies that provide off-site data vaulting for a fee. The tapesare picked up periodically and transferred to an off-site safe facility for vault-ing. If needed, customers can call to get the required tapes for a restore. Such


19_180433 ch13.qxp 2/25/08 7:49 PM Page 249

companies might have different service contracts. Although it’s more costlyto have this service 24 hours and 7 days a week, spending the extra funds toensure access to tapes might be justifiable, depending on the operation andhow critical the data is.

Documenting your hardware and its settingsIt’s especially important to document your hardware and its settings becauseit saves time that would be spent guessing and trying different configurationsto get the system back up and ready for data to be restored from tape.Generally, accurate and comprehensive documentation ensures fast and reliable recovery.

Document all important settings, such as the following:

� The size of volumes or drives

� The type of file system used

� Whether the file systems are File Allocation Table (FAT) or NT FileSystem (NTFS)

� Whether you’ve been using any kind of fault tolerance on your disk subsystem, such as mirroring or some type of Redundant Array ofInexpensive Disks (RAID)

� The part numbers of all the components installed in your systems

� All the vendors and your contacts. If the components in your system arefrom one of the large server manufacturers, such as Compaq or HewlettPackard, they might loan you a system to recover your data.

Finally, have all your device drivers readily available.

Practicing disaster recovery for your systemIt’s wise to practice disaster recovery periodically to ensure its successwhenever it’s required after a real disaster. In large companies, it’s normalpractice and, in fact, mandated by management. Whereas it’s easy to makethis statement, actually implementing this practice is harder than you maythink. The problem is that you can’t attempt to recover your data on a pro-duction system (which is a system already used for another function). If youdo and the backup is corrupt, your live data will become corrupt as well.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 250

Many organizations purchase a second system with the same specificationsas the production system as a backup. These systems tend to get “borrowed”for other pilot projects and come into production.

Windows Server 2008 has a new feature that makes disaster recovery mucheasier. This feature is similar to a third-party solution in which a total systemrecovery is possible with a few diskettes. Search for disaster recovery in theWindows Server 2008 Help and Support Center for more information.

The Windows Server 2008 Backup Facility

Microsoft used to include a backup program called ntbackup with itsWindows NT operating systems. Windows Server 2008 ceases this tradition,opting instead for a much revised (and entirely incompatible) and optionalBackup facility. The Windows Server 2008 version of Backup retains the capa-bility to back up to nontape media and access network resources, and itincludes built-in scheduling capabilities. These features were present in theWindows 2000 and Windows Server 2003 version of ntbackup but absent fromthe Windows NT version.


Great features of Windows Server 2008 BackupAs mentioned earlier, Windows Server 2008Backup doesn’t use tape storage devices. It optsinstead to use internal and external disks, sharedfolders, and — perhaps most impressive of all —DVD media. Windows Server 2008 still supportstape storage drivers, which may be utilized incustom or third-party archival applications.

Backup’s simplified design is ideal for medium-sized organizations or individuals not working asIT professionals, such as small business owners,but it can work for just about anyone. IT analystsand planners, early platform adopters, and secu-rity architects are chief among this collectivewho are often responsible for safekeeping orarchiving various types and amounts of data in anumber of occupational capacities.

Removable Storage Manager (RSM) — now anaspect of Server Manager — is an integratedpart of the Windows Server 2008 operatingsystem. This service is responsible for managingtasks such as the mounting and dismounting ofstorage devices on behalf of Windows Server2008 Backup software. Relieving the backup soft-ware of these tasks and making them part of theoperating system, unlike previous versions ofWindows NT, makes the software much morereliable and robust.

Finally, you can back up (and restore) using theBackup Wizard. The wizard will ask you all thequestions that you need to answer for a backupto be completed properly. See the “Schedulingbackup jobs” section in this chapter for moredetails on the Backup Wizard.

19_180433 ch13.qxp 2/25/08 7:49 PM Page 251

Looking at the big pictureWindows Server 2008 ships with a completely new Backup facility thatincludes two methods for backing up your server: a GUI interface(Start➪Administrative Tools➪Windows Server Backup) and command lineexecution (\WINNT\system32\ntbackup). We prefer the advanced mode of the GUI interface (shown in Figure 13-1) for quick manual backups and thecommand line interface for batched and scheduled backups.

These methods aren’t exactly unattended because you have to start them torun manually — unless you set them up with a scheduler task to run automat-ically at a preset time. Although somewhat crude and not so fancy, WindowsServer 2008 Backup is better than nothing. If your budget is low and you can’tafford to purchase a solution from a third-party vendor that specializes inbackup software, this is the way to go. And the best part is that it’s free! (It’sincluded in the price of Windows Server 2008.)

Before purchasing a third-party backup product or using the Windows Server 2008 built-in backup program, search the Microsoft Knowledgebase(support.microsoft.com) for known bugs and problems regardingbackup issues. Be specific in the search (that is, search for Windows Server2008 BACKUP). Also, always install the latest service pack, which will correctmost minor bugs known to Microsoft.

Figure 13-1:The built-inGUI backupin WindowsServer 2008.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 252

You may install Backup through Windows Server 2008 Server Manager. Justfollow these instructions:

1. Choose Start➪Server Manager.

The Server Manager console appears.

2. Select Features Summary and then click Add Features.

The Add Features Wizard appears.

3. Under Select Features, choose Windows Server Backup and then click Next.

4. After you reach the Confirm Installation page, click Install.

5. Click Close.

This provides you with the basic ability to back up and recover WindowsServer 2008 applications and data.

Performing command line backupsYou execute ntbackup from the command prompt using the following syntax:

ntbackup backup [systemstate] “@bks file name” /J {“job name”} [/P {“pool name”}] [/G {“guid name”}] [/T { “tape name”}] [/N {“media name”}] [/F {“file name”}] [/D {“set description”}] [/DS {“server name”}] [/IS {“server name”}] [/A] [/V:{yes|no}] [/R:{yes|no}] [/L:{f|s|n}] [/M {backup type}] [/RS:{yes|no}] [/HC:{on|off}] [/SNAP:{on|off}]

Yikes, that looks complicated! But don’t worry, it really isn’t that bad. In mostcases, you’ll need only a handful of parameters rather than all of them. Thebest place to get more details on using ntbackup from a command line is theCommand Line Reference, which you can access by typing ntbackup /? fromthe Run command. This displays a help window that contains the correctsyntax for ntbackup, along with excellent descriptions, restrictions, require-ments, and suggested uses of each parameter. Plus, several examples helpyou figure out how to use the command line syntax.

However, we really don’t see much of a need for command line operation ofntbackup, especially because the GUI tool offers scheduling. But if you’rereally into batch scripts and would rather do things the hard way, be our guest.

Some files that are hard coded into ntbackup don’t get backed up, and youcan’t change or alter this. Following are some of the files and other thingsthat don’t get backed up:


19_180433 ch13.qxp 2/25/08 7:49 PM Page 253

� Open files: Users can’t have files open while the backup is running.Those files won’t be backed up. Have the users log off the system anddisconnect them from any shares.

� Temporary files: No temporary files, such as PAGEFILE.SYS, arebacked up.

� File permissions: The account used to perform the backup must havepermission to read files.

� Other Registries: Only the local Registry is backed up. Registries onother servers are not backed up.

Selecting targets and volumes In the Windows NT version of ntbackup, you could choose the files that youwant to back up only through the GUI. The Windows 2000 and WindowsServer 2003 versions allow you to either select a root drive or directory fromthe command line or use the GUI to define a backup selection file (a .bksfile). Windows Server 2008 changes the game slightly and permits you toselect among the local drive volumes.

To create a Backup image of select volumes, follow these steps:

1. Choose Start➪Administrative Tools➪Windows Server Backup.

The Welcome to the Backup or Restore Wizard screen appears.

2. Under the Actions pane at right, choose Backup Once.

The Backup Once Wizard appears.

The first time through, you may only choose Different Options. After youspecify a default backup schedule, you can select the option The SameOptions That I Use for Scheduled Backups.

3. Click Next.

4. Under Select Items, choose Custom and click Next.

5. Select or deselect the selected volumes and click Next.

There may be several to choose from, and you may also select whetherthis should be a recovery image, which is selected by default. (See Figure 13-2.)

6. Under Specify Destination Type, select the appropriate target(s) and click Next.

The options are Local Drives or Remote Shared Folder.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 254

7. Click the Start Backup button to back up to the location you selectedin Step 6.

Windows Server Backup will create images of all the drives you selectedin Step 5.

If you prefer to use the Windows Backup and Restore center, please readthe next section for information on using that version instead.

Specifying backup destination and media settingsNow that you’ve selected the files that you want to back up, you can choosethe backup destination. If you don’t have a tape drive installed on yoursystem, the ntbackup program defaults to a file as its backup destination.Otherwise, simply select the backup device to which you’d like to back upthe information as follows:

1. Choose Start➪All Programs➪Accessories➪System Tools➪WindowsServer Backup.

The Welcome to the Backup or Restore Wizard screen appears.

2. Click Advanced Mode.

Figure 13-2:Selecting

volumes tobe backed

up.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 255

3. Click the Backup tab.

4. Choose the backup destination (File or Tape):

• File: Choose File in the Backup Destination drop-down list. In theBackup Media or File Name box, type the full path and filename (or click the Browse button to find it).

• Tape: Choose a tape from the Backup Destination drop-down list.

5. Click the Start Backup button.

Scheduling backup jobsAs mentioned previously, scheduling backup jobs is a built-in feature ofWindows Server 2008 Backup. Scheduling backup jobs is as simple as following these steps:

1. Choose Start➪All Programs➪Administrative Tools➪Windows ServerBackup.

2. In the Actions pane at left, choose Backup Schedule.

3. Click Next.

4. Choose whether to create a Full Server (Recommended) or CustomBackup selection.

5. Answer the questions presented to you by the wizard.

You’ll notice that you’re prompted for a username and password. Theuser performing the backup (probably you) must be either an adminis-trator, a member of the Backup Operators group, or have equivalentrights of these groups.

6. Under Specify Backup Time, specify the frequency of the job and click Next.

The options are Once a Day or Multiple Backups Every Day. If youchoose the second option, select the appropriate time slots.

7. Continue through to the Confirmation dialog box to complete this task.

The calendar in the Schedule Jobs tab changes to reflect the jobs.

Restoring from a BackupBacking up your data is only half the picture. The other half involves restor-ing files on the network. We hope that you have to restore only a few files forusers from time to time. Making regular backups along the way makes this


19_180433 ch13.qxp 2/25/08 7:49 PM Page 256

task friendly and easy. However, in a fire or other disaster, you might loseyour data and computer equipment, including the server to which you needto restore. We hope that you heed our advice when we say to rotate tapes off-site each week to plan for this catastrophe. If you also lose the server, wehope that you have a good working relationship with your local vendors soyou can get equipment in a hurry.

The most important thing to remember when restoring your network is topractice the restoration process when you aren’t under the gun. This notonly gives you confidence in performing the task, but also periodically teststhe integrity of your backup. Although you can examine log files each morn-ing, it’s better to perform real restore tests — just like a dress rehearsal.When disaster does strike and you need to perform a real restore, all sorts ofpeople will be looking over your shoulder asking you when things will be upand running. If you confidently know your backup system, you can performthis task under extreme pressure. Don’t wait until the last minute to test andlearn the system.

Always restore the system files (\SYSTEM32\CONFIG and Registry files) first,reboot, and then take a peek at the system to make sure everything looks likeit’s in place. Then restore the data files. If you plan your network directoryand volume structure to segment system and data files, this task is mucheasier. Know ahead of time whether certain business departments requirethat their data be restored first. Sometimes this isn’t necessary, but ininstances where a customer service department exists, they usually want thenetwork back up right away with immediate access to their data. Why?Because they’re servicing the external customers that generate the revenuefor your organization! Before restores become necessary, try to devise arestoration order plan for your network and practice it.

Note that sometimes you can’t restore Windows Server 2008 system files; youmay have to reinstall Windows Server 2008 and then restore the system files.

Third-Party Backup OptionsBecause Windows Server 2008 is such a new operating system, currently nothird-party options are specifically designed for it. Rest assured, however,that this won’t remain so for long.

We always recommend going with well-recognized, name-brand, third-partycompanies to ensure good compatibility with Windows Server 2008 and other network operating systems. Most of the popular packages support thecapability to back up several different network operating systems at one timeand contain easy-to-use interfaces for backup and restore options.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 257

Finding third-party packagesOne easy way to find other third-party backup software is to visit popularsearch engines on the Internet, such as www.search.com, and enter the keywords Windows Server 2008 Backup. Discount Internet shops, such asCDW (www.cdw.com), provide information about various backup devices inone handy location. On the CDW Web site, go to the Hardware section, clickthe Data Storage option, and look at how much information you have.

The backup market has two types of vendors: small-business backup solutions and enterprise backup solutions. We list the top vendors in eachcategory to get your search started:

� Small business:

• Exabyte, www.exabyte.com

• ADIC (Advanced Digital Information Corporation), www.quantum.com/AboutUs/ADIC/Index.aspx

• Hewlett-Packard,http://welcome.hp.com/country/us/en/prodserv/storage.html

� Enterprise business:

• Symantec Veritas,www.symantec.com/enterprise/theme.jsp?themeid=datacenter

• Legato, www.software.emc.com

Search the backup vendors’ Web sites for white papers and cost of ownershipdocuments. This information is free, and a lot of research has been compiled.You can use this information to convince management of your backuprequirements.

Evaluating backup systemsRegardless of which vendor you choose, the following checklist providessome helpful criteria in evaluating tape systems. Determine the requirementsfor your organization and query the vendor as to whether their product hasthe features you desire — and whether you have to pay extra for some add-on modules.

This list should give you a good idea of what you may need when choosing atape backup system:


19_180433 ch13.qxp 2/25/08 7:49 PM Page 258

� Critical system files: An essential feature in any tape system that youpurchase is that it can back up the Windows Server 2008 system files —such as the Registry and event logs, security information, user accounts,and access control lists — in addition to the actual data.

� Fast media index: When backing up large amounts of data, it’s criticalthat during the restore process you’re able to obtain a catalog of themedia contents within a minute or two. You don’t want to wait 30 min-utes each time you need to see the contents of a particular medium.

� Multiplatform support: Networks that support multiple platforms, suchas Novell, Microsoft, and UNIX, are easier to back up if one backupsystem can support more than one platform.

� Client backups: Some users simply refuse to store files on the network.In this case, look for a package that automates client workstation back-ups across the network to your tape backup system. Some popular systems already include this option. Ask which client operating systemsit supports — for example, Macintosh, UNIX, Windows, and OS/2.

� Unattended operation: Some tape systems work like jukeboxes andhave a mechanical arm that inserts and removes tapes, so you can gohome while the backup runs. These systems are expensive, but if youhave a lot of data to back up and don’t want to insert tapes all night,look for this feature.

� Scheduling features: If you want to perform incremental and full back-ups on different days, look for a system that is flexible and allows you to automate the scheduling features based on the day of the week.

� Open files: Open files are files in use during the backup operation. Notall backup systems are designed to back up open files, and some evenhalt when they get to one that’s open. Most systems skip over the fileand write an exception to a log file. More than likely, you want a backupsystem that backs up open files.

� Security and encryption: For small operations, this feature may not beas critical. For larger environments, ask the vendor how its system handles passing information through the network, such as passwordsand account information.

� Hierarchical Storage Management (HSM): You want to make sure thevendor’s product supports online, nearline, and offline storage and canmanage using all three at one time.

� Data storage size: You want to find out how much data you can back upto the system (MB or GB), the size of the tapes the system uses (4mm,8mm, DLT, or others), and whether it compresses data.

� Remote management: Getting to monitor backup status and progressremotely instead of being in front of the console is a handy feature.

� Scalability: Find out whether this system can be scaled to a larger environment should your network grow.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 259

� Security access: Running an unattended backup means that a devicemust either log on to the network while you’re gone or remain logged onwith the keyboard locked. Check with the vendor as to how the productlogs on to the network and maintains security.

The Backup OperatorBefore a user is allowed to back up or restore the system, he or she must be amember of the Backup Operators group. This group is the same as the BackupOperators group in Windows NT, but Windows Server 2003 (and by extension,Windows Server 2008) has changed the procedures for adding users to thegroup and changing the group’s policies. Depending on whether you’re run-ning Windows Server 2008 with Active Directory, the steps involved in addinga user to the Backup Operator group will be slightly different.

By default, the Backup Operators group doesn’t have any members. It’ssimply an empty container or a placeholder for when you need to assignbackup and restore rights to users.

To modify the membership of the Backup Operators group when ActiveDirectory isn’t installed (in other words, when your server is configured as anormal server instead of a domain controller), follow these steps:

1. Choose Start➪All Programs➪Administrative Tools➪ComputerManagement.

2. In the left pane, expand the System Tools icon and highlight the LocalUsers and Groups icon.

If you don’t see Local Users and Groups, it’s probably because that snap-in hasn’t been added to the Microsoft Management Console, or itmay be that you’re working on a domain controller, which is strictly controlled through Active Domain Users and Computers. If you’re notworking on a domain controller, you can type dsadd.exe into the Searchbox that pops up above the Start button when you click it. If you areworking on a domain controller, you must use the Active Domain Usersand Computers utility, which you can launch by typing dsa.msc into theaforementioned Search box instead.

3. In the right pane, double-click the Groups option.

At this point, all the groups that currently exist on your system are displayed in the right pane.

4. Highlight and right-click the Backup Operators group and choose theAdd to Group option.

5. Click the Add button and type the username that you’d like to becomea member of the Backup Operators group.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 260

6. Click Check Names and then click OK.

To modify the membership of the Backup Operators group when ActiveDirectory is installed, follow these steps:

1. Choose Start➪All Programs➪Administrative Tools➪Active DirectoryUsers and Computers.

2. In the left pane, double-click the tree to expand it.

3. In the right pane, double-click the Builtin folder.

4. In the right pane, double-click the Backup Operators group.

5. Click the Members tab.

6. Click the Add button to add users.


19_180433 ch13.qxp 2/25/08 7:49 PM Page 261


19_180433 ch13.qxp 2/25/08 7:49 PM Page 262

Chapter 14

Network Security ManagementIn This Chapter� Finding out about basic network security

� Understanding how Windows Server 2008 handles security

� Applying service packs

� Developing the right security attitude

� Finding and filling Windows Server 2008 security holes

� Examining security resources

In the ever-changing world of information technology, protecting privatedata from prying eyes is becoming increasingly important. Maintaining

a solid security posture that prevents access to internal information,processes, and resources is critical to sustaining a competitive edge and to ensure self-preservation in hostile environments. In this chapter, we discuss how to impose tight security on Windows Server 2008.

When you install Windows Server 2008 out of the box, it doesn’t provide atotally secure environment, although it’s much more secure than previouseditions. You must customize security details on Windows Server 2008 tobest suit your operating environment. This process involves executing multiple steps, careful planning, double-checking your settings, and a fewnoncomputer activities. If you don’t care about the security of your data, you can skip this discussion entirely, though we can’t imagine this applies totoo many of our readers.

The goal of security isn’t to create a system that’s impossible for a hacker or misguided user to compromise. Instead, the goal is to erect a sufficientlyimposing barrier against intruders so that the difficulty they encounter whileattempting to break in is significantly higher than on someone else’s system.It’s kind of like building a brick wall around your yard so tall that it discour-ages an intruder from climbing over — so that the intruder goes into yourneighbor’s yard instead. Your goal is to convince attackers to go after easier targets. By following the prescriptions in this chapter, you can deploya Windows Server 2008 system that’s not only harder to crack than yourneighbors’ but also nearly watertight!

20_180433 ch14.qxp 2/25/08 7:50 PM Page 263

Protecting proprietary and private electronic property defends against outside attackers, but it also involves erecting a barrier against insideassaults and taking precautions against other threats to your data as well.

Network Security BasicsThe basic precepts of network security require you to keep unauthorizedpeople out of your network, to keep unwanted data out as well, and to keepwanted data in. Leave it to us to point out the obvious!

Creating a secure environment requires you to pay attention to three keyareas, or martial canons:

� Understanding the operating system (or systems)

� Controlling physical access to the computer

� Educating human users

These three areas are like legs on a barstool. If any one of these legs is weak,the person on the stool will hit the floor. Nobody wants to be that person. It hurts!

In this section, we briefly discuss the issues involved with maintaining physical control and educating users. The third leg, the operating systemitself, is our subject for the remainder of this chapter.

Getting physicalControlling physical access means preventing unauthorized people fromcoming into close proximity to your computers, network devices, communi-cation pathways, peripherals, and even power sources. A computer systemcan be compromised in several ways. Physical access is always the first stepin breaking into a system. Remember that physical access doesn’t alwaysmean a person must be in your office building. If your network has dial-upaccess, someone can gain access remotely.

Controlling physical access means not only preventing access to keyboardsor other input devices but also blocking all other means of transmitting to orextracting signals from your computer system. You want to exercise greatcare over what goes into and flows out of your network, thereby safeguardingeverything within it.

Protecting the computer room and operating environmentSome physical access controls are obvious to everyone:


20_180433 ch14.qxp 2/25/08 7:50 PM Page 264

� Locking doors

� Using security badges

� Employing armed guards

� Using locking cases and racks

If you address only these items, you still leave other access methods wideopen. You must think about the architecture, structure, and construction ofyour building. Can ceiling or floor tiles be removed to gain entry over orunder the walls? Do ventilation shafts or windows provide entry into lockedrooms? Are you feeling paranoid yet?

A person getting into your computer room isn’t the only concern you should have. You also must think about the environment in which computersoperate. Most computers operate properly across only a limited range oftemperatures. Therefore, if intruders can gain access to thermostat controls,your system can become compromised. What is the one thing that all com-puters need? Electricity. Is your power supply secure? Can it be switched offoutside your security barriers? Do you have an uninterruptible power supply(UPS) attached to each critical system? Did you install a backup phone lineindependent of the regular land line in case of emergency?

Even after preventing entrance into the computer room and protecting theoperating environment, you still haven’t fully secured your computers physically. You need to think about your trash — yes, the trash! You would beamazed at what private investigators and criminals can learn about you andyour network from information discarded in your trash. If you don’t shred orincinerate all printouts and handwritten materials, you may be exposingpasswords, usernames, computer names, configuration settings, drive paths,or other key data. Trust us, this happens more often than you’d care to know,occasionally with enough oomph to make the nightly news.

Do you think we’ve covered everything now? Wrong! Ponder these issues:

� Does the nightly cleaning crew vacuum and dust your computer closet?

� Is that crew thoroughly screened and properly bonded?

� How often does the crew unplug computer systems to plug in cleaningmachines?

� Is the key that unlocks your front door also the key that unlocks thecomputer room?

� How do you know that the cleaning crew isn’t playing with your computer systems?

� How do you know that the members of the cleaning crew are who youthink they are?

� Are floppy drives installed on servers and other critical systems?

265Chapter 14: Network Security Management

20_180433 ch14.qxp 2/25/08 7:50 PM Page 265

� Can systems be rebooted without passwords or other authenticationcontrols (for example, smart cards)?

� Do servers have extra ports ready to accept new attachments?

� Are your backup tapes stacked beside the tape drive?

� Are your backup tapes protected by encryption and passwords?

� Are all backup tapes accounted for? If some are missing, do you knowwhat information was stored on them?

� What really happens in your office building after business hours? Arethe doors locked every night?

If you can still sleep at night, you probably have most of these items undercontrol. If you can’t answer some of these questions with a solid, reassuringresponse, you have work to do. Get going!

Guarding against notebook theftSo far, physical access issues we’ve discussed focus on stationary comput-ers. But what about mobile machines? Remember that expensive notebooksystem you purchased for the boss, that manager, and a system administra-tor so they could work while traveling and connect to the network over thephone? Should one of those notebooks fall into the wrong hands, somebodymight have an open door through which they could access your network andtake or ruin whatever they please.

Notebook theft is becoming the number one method for gaining access tocompany networks. Most notebooks are stolen at the airport. (We bet youcould’ve guessed that one!) Although most travelers are smart enough not tocheck notebooks as luggage, there’s one common location where notebooksand their owners are separated — the metal detector. All it takes is a fewmoments of delay while waiting to walk through the metal detector afteryou’ve placed a notebook on the x-ray conveyer, and poof — the notebook isgone by the time you reach the other end.

And despite all the precautions taken while traveling with notebooks, lapses in routine or procedures can allow opportunistic miscreants to takeadvantage: leaving one unattended. It may be in the car while retrieving out-of-town mail piling up at the post office, or making a quick stop at acorner store on the way home. In such unguarded moments, notebooks canand will disappear, and their absence may go completely unnoticed until youarrive home to collect your travel gear.

Controlling physical access in the workplace is also important because withoutaccess to a computer system, hackers can’t break in. If you fail to manage physical access to your network, you’re relying on operating-system-supported


20_180433 ch14.qxp 2/25/08 7:50 PM Page 266

software security to protect your data. In that case, there’s another glaringproblem to contend with — if you’ve failed to properly educate networkusers, your security may already be compromised.

Informing the masses about security policiesThe most secure network environment is useless if users don’t respect the need for security. In fact, if left alone, most humans find the path of leastresistance when performing regular activities — like leaving a notebook unattended in an unlocked car. In other words, users will do anything to maketraversing security simple — such as automating password entry, writingdown passwords in plain view, mapping unauthorized drives, installing unapproved software, transferring data to and from work and home on flashdrives, and attaching modems to bypass firewalls or proxy servers. If you usesoftware-based or operating-system-based security measures, users oftenfind ways around them, or to reduce their effectiveness.

User education is a two-pronged process:

� First, network users must understand what security means, why it’simportant, and what measures are in place on your network.

� Second, violations of security policy and practice must be dealt withswiftly and strictly.

Educating network users In most cases, educating network users means preparing an official docu-ment that details and explains all security restrictions, requirements, andpunishments. This document, known as a security policy, serves as a networkconstitution, or its governing body of regulations. It also helps maintain network security and lets violators know they’ll be prosecuted.

So, what does a user need to know about security imposed on an organiza-tion’s network? Here’s a brief list of highlights:

� Use passwords properly and choose them wisely. (Don’t use an obviousname or number, such as a pet’s name or your birth date.)

� Never write down or share passwords.

� Never share security badges and smart cards or leave them unattended.

� Restrict network access to authorized employees only.

� Don’t share user accounts with other employees or with anyone outsidethe organization.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 267

� Don’t distribute data from the network in any form outside the organization.

� Don’t step away from your workstation while you’re logged on to the system.

� Understand the various levels of security in place on the network andthe purpose of the stratification.

� Don’t install unapproved software.

� Make it clear to all employees that tampering, subverting, or bypassingsecurity measures is grounds for termination of employment.

� Respect the privacy of the organization and other users.

� Deal with violations of the security policy in a swift and severe mannerwithout reservation or exemption.

Punishing users for violating the security policyIf a user violates a significant clause in the security policy, a severe punish-ment must be applied. In most cases, firing the individual is the only form ofpunishment that controls the situation effectively and prevents other usersfrom making the same mistake. The repercussions of violating the securitypolicy must be detailed in the policy itself. And if you spell out the punish-ment, you must follow through. Even if your top programmer is the culprit,he or she must receive the same punishment as a temporary mail handler.

Most analysts have discovered that deploying a severe security policy resultsin a common pattern — a short-term improvement in security, followed by abrief period of laxness, which results in violations, causing several users tobe fired, which then results in an overall sustained improvement in security.Companies have reported that the loss of manpower because of violationswas negligible in comparison to the prevention of security breaches.

You should create your own security policy that includes details about physi-cal control, user education, and operating-system-level security measures.Remember the adage about the ounce of prevention. (It beats a pound ofcure, every time.)

Windows Server 2008 and SecurityWindows Server 2008 security adheres to several significant principles, chiefamong which is access control. Access control depends on user identity, andnormally attaches to user accounts. To access a Windows Server 2008 com-puter or network, users must possess a user account with a valid username


20_180433 ch14.qxp 2/25/08 7:50 PM Page 268

and password. But then, anyone who knows a valid username and passwordcombination can gain access. Thus, both usernames and passwords for useraccounts must be protected.

Windows Server 2008 includes several new features and functions to helpmake it more robust, secure, and reliable than its predecessors. Its servicescan be componentized into discrete roles necessary to sustain specific net-work functions such as DHCP or DNS, and they’re hardened against variousforms of remote attack. Windows Server 2008 also incorporates NetworkAccess Protection, Federated Rights Management, and Read-Only DomainController capability to further strengthen its security posture to help protect your organizational assets.

Let’s briefly define what some of these features do:

� Network Access Protection isolates noncompliant computers that violate organizational policy to provide restriction, remediation, andenforcement.

� Federated Rights Management services provide persistent protectionfor sensitive information, reduce risk, enable compliance, and delivercomprehensive data protection.

� Read-Only Domain Controller capability enables Active DirectoryDomain Services deployments with restriction to replication of the fullActive Directory database for stronger protection against data theft.

The following paragraphs define and detail the fundamental principles, poli-cies, and procedures behind a solid security posture. These apply equally toany organization, no matter how large or small its operational capacity.

Usernames are more than just namesProtecting usernames isn’t always simple, but a little effort subverts easyattacks. Here are a few precautions you can take:

� Make usernames complex. Don’t create usernames that employ just thefirst or last name of a person. Combine two or more elements to create a name, such as first name, last name, initials, department code, or divi-sion name. You should also avoid using users’ e-mail addresses to nameaccounts. This makes guessing user names a bit more difficult. Even if a hacker knows your naming convention, making usernames complexmakes brute-force attacks, in which every likely or possible password isattempted, more difficult. (See Chapter 11 for more information onnaming conventions.)


20_180433 ch14.qxp 2/25/08 7:50 PM Page 269

� Rename common accounts. These include the Administrator, Guest, and IUSR_<servername> (created by Internet Information Services, or IIS) accounts. Rename these to something descriptive but not easilyguessed. Then, create new dummy accounts with the original namesthat have absolutely no access. This serves as a decoy for hackers,effectively wasting their time and giving you more opportunity to discover who they are. You can even monitor access to these accountsto observe when would-be attackers are seeking unauthorized access.

� Include a restriction to prevent users from employing their networklogon usernames as logon names anywhere else. In other words, auser’s network logon name shouldn’t be used as a logon name for Websites, File Transfer Protocol (FTP) sites, or other external systems. Ifusers don’t use the same logon names everywhere, they’ll be lesstempted to use the same passwords everywhere as well.

Even with these precautions, usernames can be discovered. The importantissue here is to make obtaining any data item needed to log on to your net-work as difficult as possible. After a username is known, the responsibility of protecting your network rests on the strength of its associated password.

Passwords and securityPasswords are the primary means by which unauthorized access to a systemis prevented. The stronger the password, the more likely security will remainintact. As part of your security policy, you must require that strong passwordsbe used by each and every user. (See the upcoming “A few more things aboutpasswords” section for guidelines for crafting strong passwords.) A singleaccount compromised can result in unfettered access to entire systems.

Strong passwords can be enforced using built-in controls in Windows Server2008. By employing all system-level controls that force strong passwords,little additional effort is required to ensure that users comply with the security policy. New to Windows Server 2008 is password-setting granularity:You may implement password settings on a user or group basis. No longerare you restricted to single, all-encompassing settings for a whole domain,which requires separate domains for separate settings. This occurs com-monly where an organization requires different password settings that affectmultiple, different administrative accounts.

Accounts Policies define restrictions, requirements, and parameters for thePassword, Account Lockout, and Kerberos policies. To access AccountsPolicies, follow these steps:

1. Choose Start➪Run.

2. Type gpmc.msc into the Start Search field and press Enter.

3. Double-click your forest name to expand its settings.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 270

4. Expand Domains, select your domain name once more, and double-click to expand.

The Group Policy Management Console appears. An additional dialogbox may also appear, stating that you’ve selected a link to a GroupPolicy Object (GPO) and that any changes made here are exercised glob-ally wherever this GPO is linked (except for changes to link properties).

5. Right-click the Default Domain Policy entry and choose Edit.

The Group Policy Object Editor appears.

6. Under the Computer Configuration node, expand the WindowsSettings item.

7. Under the Windows Settings node, expand the Security Settings item.

8. Under the Security Settings node, expand the Account Policies item.

Now you can see the Password, Account Lockout, and Kerberos policiesin the right pane of the Local Security Settings window, as shown inFigure 14-1.

Password PolicyAfter you’ve found the Account Policies option, you can access the PasswordPolicy by choosing Account Policies➪Password Policy. The six options shownin Figure 14-2 allow you to control the requirements for user passwords. Thehigher you raise the bar in each of the six options, the stronger the passwordrequirements become, thereby making it increasingly less likely that brute-force attacks will succeed against your system.

Figure 14-1:The

Password,Account

Lockout andKerberos

Policiesappear on

the right.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 271

In the following list, we briefly explain each option, spell out the default setting, and recommend the most appropriate settings for general use:

� Enforce Password History: We recommend a setting of 5 or greater,which means that the system remembers the last five passwords usedso he or she can’t reuse any of them.

� Maximum Password Age: Use this option to define when passwordsexpire and must be replaced. We recommend settings of 30, 45, or 60 days.

� Minimum Password Age: Use this option to define how long a user mustwait before changing his or her password. We recommend settings of 1, 3, or 5 days.

� Minimum Password Length: Use this option to define the smallestnumber of characters that a password must include. We recommend atleast eight characters for best results.

� Passwords Must Meet Complexity Requirements: (Astute observersmay notice that this was disabled by default in previous versions.)Complexity requirements are rules, such as, requiring both capital andlowercase letters, requiring use of numerals, and requiring nonalphanu-meric characters. If native password requirements aren’t sufficient, werecommend that you research complexity requirements further by usingthe Windows Server 2008 Help and Support feature or the WindowsServer 2008 Resource Kit.

� Store Password Using Reversible Encryption for All Users in theDomain: By enabling this attribute, you can use Shiva PasswordAuthentication Protocol (SPAP), which is a security authenticationmechanism for the Point-to-Point Protocol (PPP) developed by ShivaCorporation. Leave this disabled unless SPAP is required by a client.

Figure 14-2:The Group

Policyediting tool,

PasswordPolicy.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 272

Account Lockout PolicyThe next policy in Account Policies is the Account Lockout Policy, which governs when user accounts are locked out because of repeated failed logonattempts. (Choose Account Policies➪Account Lockout Policy.) Lockout prevents brute-force logon attacks (in which every likely or possible pass-word is attempted) by turning off user accounts. The options are as follows:

� Account Lockout Duration: Use this option to define how long to lockout an account. A setting of Forever requires an administrator to unlockan account. We recommend a setting of 30 minutes or more.

� Account Lockout Threshold: Use this option to define how many failedlogon attempts result in lockout. We recommend a setting of 3 to 5invalid logon attempts.

� Reset Account Lockout Counter After: Use this option to define the timeperiod after which the failed logon count for an account is reset. We recommend a setting of 15 minutes.

Kerberos PolicyThe last policy in Account Policies is the Kerberos Policy, which governs theactivity of secured communication sessions. (Choose Account Policies➪Kerberos Policy.) Kerberos is an advanced network authentication protocol.Using Kerberos, clients can authenticate once at the beginning of a communi-cations session and then perform multiple tasks during that session withouthaving to authenticate again. Kerberos is used to prove the identity of aclient and a server to each other. After such identity verification occurs, communications can occur without repeating this process (or at least untilthe communications link is broken).

The options for this policy are specified in the following list with their recommended settings:

� Enforce User Logon Restrictions: Enabled

� Maximum Lifetime for Service Ticket: 600 minutes

� Maximum Lifetime for User Ticket: 10 hours

� Maximum Lifetime for User Ticket Renewal: 7 days

� Maximum Tolerance for Computer Clock Synchronization: 5 minutes

For more information on establishing a secure baseline in Windows Server2008, please download the Microsoft Windows Server 2008 Security Guideand visit the Microsoft Security Web site (www.microsoft.com/security/default.mspx).


20_180433 ch14.qxp 2/25/08 7:50 PM Page 273

A few more things about passwordsWhether you enable software controls to restrict passwords, we recommendthat you include the following elements in your organization’s security policyregarding passwords:

� Require a minimum of six characters; longer is better.

� Prevent the e-mail address, account name, or real name from being partof the password.

� Don’t use common words, slang, terms from the dictionary, or other realwords in passwords.

� Don’t write passwords down, except to place them in a vault or safetydeposit box.

� Don’t use words, names, or phrases associated with users, such asfamily, friends, hobbies, pets, interests, books, movies, or workspace.

� If real words are used, garble them using capitalization, numbers, ornonalphanumeric characters — for example, Go7Ril-la instead of gorilla.

� Use numbers or nonalphanumeric characters to replace letters — forexample, ALT3RN8 L3TT3R1N9 (or “alternate lettering”).

� Use at least three out of four types of characters: uppercase, lowercase,numerals, nonalphanumeric (symbols, punctuation).

� Create acronyms to use as passwords from sentences — for example,Fifty-five dollars will pay a parking ticket = 55DwPaPt.

Through a combination of Windows Server 2008–enforced password restrictions and company security policy rules, you can improve the securityof your system through the use of strong passwords.

A Look into the Future: Service PacksMicrosoft regularly releases updates and fixes for its products, called patchreleases. It did so for Windows NT 4.0 and Windows 2000/2003, and will do sofor Windows Server 2008. Because patches from Microsoft correct all kinds ofbugs, problems, and other issues, it’s inevitable that some of these patchesaddress security problems. Therefore, it’s vital to keep informed about therelease and content of such patches.

Microsoft releases patches in two forms:

� Hotfixes: A hotfix is a patch for a single problem. Hotfixes aren’t fullytested or supported by Microsoft. A hotfix should be applied only ifyou’re actually experiencing the problem it corrects because a hotfixcan sometimes cause other problems.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 274

� Service packs: A service pack is many hotfixes, tested and combinedinto a single Band-Aid. Service packs are cumulative, meaning that eachnew release of a service pack includes the previous service pack plus all hotfixes and other improvements since that time. You need to applyonly the most current service pack and any required hotfixes.

Service packs are thoroughly tested and therefore safer for deploymentthan hotfixes. However, we recommend that you delay application of a new service pack until it’s about two months old. This gives the rest of the Windows Server 2008 community the time to install and test thepatch for you. It’s always better to learn from the mistakes of othersthan to fall into the pit yourself.

Before you apply any patch to Windows Server 2008, you should read thedocumentation included with the patches. Then make the following preparations:

� Back up the system — or at least your data and the Registry.

� Reboot the system.

� Close all applications and stop any unnecessary services.

If you don’t know which level of a service pack you applied, you can check by looking at the Help➪About page from some native Windows Server 2008applications (such as Windows Internet Explorer).

In the past, the Microsoft Web site has been secretive about the location ofservice packs and hotfixes, but recently they’ve been much more forthcom-ing. The best place to find service packs is through the Windows Update tool.(It’s in the All Programs section of the Start menu and appears as a commandin the Tools menu of Internet Explorer.) You can also check out the downloadsection of the Windows Server 2008 Web area at www.microsoft.com/windowsserver2008/default.mspx.

Copping an AttitudeTo maintain a secure networking environment, you must be a pessimist. Viewevery user as a potential security leak. The key to this philosophy is to grantonly the exact level of access that users or groups need to perform theirwork tasks and absolutely nothing more. To take this to its logical end, youneed to deal with the Everyone group and user rights. This is called the principle of least privilege, and you should exercise it rigorously.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 275

The Everyone groupThe Everyone group is a default group created by the system that includes all defined users and all anonymous users. Although it isn’t the catchallgroup it was in Windows NT 4.0, the expansive nature of the Everyone groupcan still cause security problems because Windows Server 2008 defaults togrant Read access to the Everyone group on new volumes and new shares.This means that you should watch closely where this group appears in yoursystem. You may be granting blanket access where you really don’t want anysnuggling going on.

The Everyone group might seem hard to track down. It doesn’t appear in the list of built-in groups as viewed through Active Directory Users andComputers, for example. However, it does appear in the list of groups whensetting security on objects. The Everyone group can’t be removed from thesystem, but it can be effectively managed with a little effort. See Chapter 11for more information on the Everyone group.

The Authenticated Users group is a standard feature of Windows Server 2008.It contains all defined users but doesn’t contain anonymous users. Generally,you want to use the Authenticated Users group instead of the Everyonegroup when you need to grant blanket access. The Everyone group mustremain on your system for backward compatibility and system-level requirements (such as allowing your system to boot).

Don’t set all permissions for the Everyone group to Deny because you’ll prevent anyone from accessing resources. Instead, just remove the Everyonegroup from the list of users and groups granted access.

Each time you create a new drive or a share, remove the Everyone group andthen add only those users or groups that need access to the resource. Just asyou don’t want everyone gaining access to your computer, you don’t want“everyone” to be allowed access to areas where it isn’t required.

User rightsUser rights are system-level privileges that control what types of activities can be performed. The default setting for user rights is reasonably secure,but you can make a few improvements. The User Rights management inter-face is accessed using the Group Policy editor. (See the “Passwords and security” section earlier this chapter.) The User Rights Assignment is locatedunder Security Settings➪Local Policies➪User Rights Assignments. Throughthis interface, user rights are granted or revoked. Here are some changes youshould consider making:


20_180433 ch14.qxp 2/25/08 7:50 PM Page 276

� Remove the Guests group from the Allow Log on Locally right: Thisinhibits nonauthenticated users from gaining unauthorized access.

� Remove the Everyone group from the Access This Computer from theNetwork right: This inhibits nonauthenticated users from gaining accessto hosted resources over the network.

� Remove the Everyone group from the Bypass Traverse Checking right:This inhibits nonauthenticated users from jumping into subdirectorieswhen they don’t have access to parent directories.

� Remove the Backup Operators group from the Restore Files andDirectories right: This inhibits nonadministrators from restoring filesfrom backup tapes. Because files can be restored to file allocation table(FAT) partitions where access control lists (ACLs) are lost, this is animportant security modification.

After you make these changes, double-check that regular users still have the capabilities they need to perform their required tasks. You may need togrant a few users or groups added user rights. For example, if you want usersto access resources on a server from across the network, you should add a group, such as Users, to the Access This Computer from the Network user right.

Plugging Common Mouse HolesWindows Server 2008 has a handful of common security holes that you needto look for and fill. Fortunately, we crawled around on our hands and knees soyou don’t have to. Just follow our advice, and you’ll be all snug and secure.

Unseen administrative sharesEach time Windows Server 2008 boots, a hidden administrative share is created for every drive. These shares are backup paths for the system just incase direct access to system files is somehow interrupted. In other words, it’sa redundancy you don’t need! The administrative shares are disabled byadding AutoShareServer to the following Registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

A value of 0 turns administrative shares off, and a value of 1 turns them backon. Consult Microsoft TechNet for info about disabling administrative shares.


20_180433 ch14.qxp 2/25/08 7:50 PM Page 277

A hidden share is just like any other share, except a dollar sign appears asthe last character in its name. This tells the system not to display that sharein standard browser share listings. You can use the System Manager to viewhidden shares. You can create your own hidden share just by adding a dollarsign to the end of the share name.

The problem with administrative shares is that they offer unrestricted accessto every file on a drive. If the username and password of an administratoraccount ever get compromised, anyone can map to any administrative shareon the network. Therefore, it’s a good idea to turn off the administrativeshares just as a precaution.

Decoy accountsEveryone knows the name of the most important user account on yoursystem. Because Windows Server 2008 creates the Administrator accountwhen Windows Server 2008 is installed, everyone already knows that youhave such an account and exactly what its name is. Therefore, you mustchange it!

Don’t just change the name. Go one better and create a new dummy accountwith absolutely no access or privileges and name it Administrator. Thisdummy account can serve as a decoy to lure hackers away from real access.

Creating decoys for other common accounts, such as the Guest account andIUSR account (the one created by IIS), is also a good idea.

Last logged on usernameBy default, when Ctrl+Alt+Delete is pressed, the logon dialog box displays the username of the last person to log on successfully. This is insecure. Toprevent this dialog box from appearing, enable the option titled InteractiveLogon: Do Not Display Last User Name Policy. This option appears in theSecurity Options area of the Group Policy. (See the “User rights” section fordetails on finding this area.)

When good floppies go badA nifty tool called NTFSDOS v3.02 (which you can find by searching yourfavorite search engine) enables anyone to read NTFS files after booting from a DOS floppy. (This utility was once part of Winternals, now owned byMicrosoft, which has since been abandoned and all traces removed from theMicrosoft site.) The NTFSDOS drivers make possible what Microsoft once


20_180433 ch14.qxp 2/25/08 7:50 PM Page 278

claimed was impossible. Now, anyone with physical access to your system canreboot with a floppy and copy files right from NTFS-protected drives. If youvalue your data (and your job), remove floppy drives from critical systems.

Security Equals VigilanceMaintaining a secure environment is an ongoing process. Keeping up withsecurity fixes, system changes, user activity, and a security policy is often atime-consuming task. In your efforts to protect Windows Server 2008, takethe time to review the following Web sites, newsgroups, and other resources:

� Microsoft Security & Privacy Web page: www.microsoft.com/security/default.mspx

� Microsoft Security Partners:partner.microsoft.com/global/program/competencies/securitysolutions

� Windows & .NET Magazine: www.windowsitpro.com

� Somarsoft: www.somarsoft.com

� CERT Coordination Center: www.cert.org

� Xtras, Inc.: www.xtras.net

� Microsoft TechNet: http://technet.microsoft.com/en-us/default.aspx

Here are some books you may find helpful, too. (Yes, most of these titles haveWindows 2000 in them. In most cases, the information applies to WindowsServer 2003, and to some extent 2008. But keep an eye out for new editionsfocused on Windows Server 2008.)

� Microsoft Windows 2000 Security Handbook, by Jeff Schmidt (publishedby Que)

� Configuring Windows 2000 Server Security, by Thomas W. Shinder, StaceCunningham, D. Lynn White, Syngress Media, and Garrick Olsen (published by Syngress Media)

� Windows 2000 Security Little Black Book, by Ian McLean (published byCoriolis Group)

� Maximum Security, by various authors (published by Sams.net)

� Firewalls and Internet Security: Repelling the Wily Hacker, by WilliamR.Cheswick, Steven M. Bellovin, and Aviel D. Rubin (published byAddison-Wesley)

� Building Internet Firewalls, by D. Brent Chapman and Elizabeth D. Zwicky,and Simon Cooper (published by O’Reilly & Associates)


20_180433 ch14.qxp 2/25/08 7:50 PM Page 279


20_180433 ch14.qxp 2/25/08 7:50 PM Page 280

Part IVServe It Yourself

21_180433 pp04.qxp 2/25/08 7:50 PM Page 281

In this part . . .

Those computer-friendly folks who aren’t afraid of PChardware, or who revel in their sense of adventure,

are likely to find the prospect of building their ownservers both fun and interesting. But even those of youwho might be more amenable to saving money than goingboldly where you’ve never gone before can get somethingout of this part of the book, wherein we explore what’sinvolved in putting together your own server PC on whichto run Windows Server 2008.

The adventure begins with a review of what goes into alow-end server PC and what makes it different from anordinary desktop. You explore the key components of aserver from its motherboard to its processor and memoryto its storage and network connections as you find outwhat makes servers special and what kinds of hardwarethey thrive best upon.

After that, you get the chance to walk down the two pri-mary paths to server hardware. First, you take the Intelpath and look at that company’s server processors andthe motherboards, memory, and other parts that buildingan Intel-based server is likely to incorporate. Second, yourepeat this exercise with AMD components and check outtheir processors, motherboards, and so forth that harmo-nize with their use. Either way, you discover how to rollyour own server and put it to work at sometimes considerable savings over store-bought models.

21_180433 pp04.qxp 2/25/08 7:50 PM Page 282

Chapter 15

How to Be a DIY GuruIn This Chapter� Revisiting server requirements and expectations

� Multiplicity in processing and networking

� Server-specific memory for application services

� Understanding redundancy for storage array options

� Server-related power supply considerations

� Building a better buyer’s budget

� PC component shopping tips

There is perhaps no greater satisfaction and no better sense of pride ofownership than in being a do-it-yourselfer. A properly motivated individ-

ual can get the job done and seeks out the appropriate resources when hiscapability or experience falls short of what’s needed to get the job done. Atremendous amount of knowledge and personal gratification comes from theexperience garnered from doing it yourself.

Instead of wasting too much time backpedaling mentally in search of probablecauses or guilty parties, you formulate plausible solutions or workaroundsand scramble to put your own plans into action. You are a budding PC guru, a veritable technology ninja. Okay, maybe nobody else in your office sees itquite that way, but an undeniable pleasure comes from doing things yourself.Just remember the old saying, “Everything is easy when you know how to do it!”

Of course, it often takes an advanced degree from The School of Hard Knocksto become a competent DIY guru. But we know of only one surefire way toacquire the necessary experience — just do it! The following chapters covermaterial for both Intel (Chapter 16) and AMD (Chapter 17) components andconfigurations to give you a fair assessment of the construction phase forboth products.

22_180433 ch15.qxp 2/25/08 7:50 PM Page 283

Server Requirements RevisitedWindows Server 2008 challenges the notion that you always need more hardware to keep pace with new Microsoft software platforms, an assumptionthat otherwise rings true. Windows Server 2008 has some interesting tricksup its technical sleeves that actually make it possible to operate using fewerresources — not more — than even an existing Windows Server 2000 orWindows Server 2003 installation.

Although you must still meet the minimum processing requirements(memory, CPU, storage capacity, and so on as outlined in Chapter 1),Windows Server 2008 features an installation option called Server Core thatlets you establish a minimal server operating environment that contains only enough programs to support specific service roles. These core roles,such as DNS or DHCP, export only a few functions to the connected world and therefore need very little local capability, such as desktop or multimediaapplications. In addition to reduced management, improved maintenance,and a smaller attack surface, the Server Core option enables you to proffer a server tailored to deliver only a certain set of capabilities and components.Because it’s remotely manageable, you can skip a full-time keyboard orheads-up display after you’ve completed the installation process.

With that in mind, consider the operational capacity of your server and itsservices. Will these include only DNS and DHCP, or will it service e-mailclients as well? When you begin processing higher volumes of data for a givenservice or set of services, you must increase hardware resources to accom-modate predictable upswings in demand, which can change dynamically andgeometrically on any given workday.

Processors: Cores, counts, and optionsKeep score on your core count. Traditionally, only high-end server proces-sors had any concept of multiple CPUs or cores working in tandem. Originallythis meant having a multiple of two processors per motherboard all operat-ing in concert, usually on portions of the same data or separate streams ofdata for a similar service. Recent designs have taken on an entirely newapproach, using multiples of two cores per CPU die, which increases process-ing power within about the same footprint. Today, it’s common to see desk-top computers using multiple multicore CPUs to handle compute-intensivetasks (perhaps video editing, multimedia processing, and — yes it’s true —high-end multiplayer 3-D games).

You can, therefore, combine multiple multicore processors into a single multiple-socket motherboard. Crazy concept, yes? But multiplicity is a guiding principle for many modern computer components and subsystems,

284 Part IV: Serve It Yourself

22_180433 ch15.qxp 2/25/08 7:50 PM Page 284

especially on servers. These include dual integrated networking interfaces,dual on-board disk array controllers, dual redundant power supplies, andmatched-pair memory modules in doubled-up memory slots . . . and the listkeeps growing. There are even dual separate 12 V power rails in many top-of-the-line power supply units (PSUs). Nowadays even desktop processorsreceive dual-core processor treatment from the likes of AMD and Intel.

Furthermore, there is another dividing line: processor bits. Typically, themodern CPU in your garden-variety desktop or workstation computer is a 32-bit little endian processor, which means it reads 32-bit words backwards(so that “ABCD” would appear “DCBA”, if you didn’t apply what you knowabout order when retrieving register contents). These words are the chunks ofbasic information that your processor processes in a single processing cycle,and the real distinction here is that newer makes and models increasinglyoffer 64-bit capability. This doubles the word length, acquires an entirely different designation (x64), and can support both 32-bit and 64-bit software.

Windows Server 2008 supports 32-bit and 64-bit operation with Intel’s Itanium64 (IA-64) platform fully supported in the Datacenter Edition, which is opti-mized for high-workload scenarios (as opposed to file or media services).Incidentally, Windows Server 2008 will also be Microsoft’s last 32-bit WindowsServer platform.

Motherboards can support anywhere from one to 32 processors dependingupon make and model, so choose the right ones to meet your business needs.

Memory: You can’t have too muchMain system memory is the intermediate workbench upon which all large-scale data is placed and used. Several computer applications may find themselves underserved and competing for a limited amount of resources,which will be highlighted and underscored during intense durations of heavyutilization. Memory is one of a few components you really can’t “outsource” —like external drive storage arrays — and you absolutely should not skimp onit, regardless of the cost of acquisition. There’s simply no justification for running the bare minimum in anything bigger than a small office.

That said, you can never really have too much memory because utilizationspikes should never exceed current capacity anyway. It’s better to have moreheadroom for all that data jumping around than to give it a glass ceiling tobump its head on.

There are also features found in the server memory that may or may not be required, depending on the hardware and software applications involved.Soft errors commonly occur in system memory, particularly where large volumes of data are processed in rapid succession. All this hyperactivity can

285Chapter 15: How to Be a DIY Guru

22_180433 ch15.qxp 2/25/08 7:50 PM Page 285

cause subtle changes in the representation of data, which can potentially corrupt mission-critical information in a very bad way. Error Correcting Code(ECC) memory is an expensive, fault-tolerant variant of normal memory thatcan detect and correct soft errors as they occur, or on the fly. Contrasted withthe unbuffered memory that desktops typically use, ECC memory is morerobust and reliable, which explains why it’s typically used with servers andserver applications. See the nearby sidebar for more about system memory.

Weigh these options carefully and consider carefully whether you should useECC memory in your servers, especially if they handle large volumes of (orany) mission critical data. (Hint: Most servers use buffered, ECC memory tomaximize accuracy and reliability.)

Disk space: Look out, it’s a RAID!Redundant Arrays of Inexpensive Disks (RAID) remain a bastion of server-oriented data storage. Considering that, can you select the correct answer tothis question: RAID combines several disks in a variety of ways that betterserve data and its users by making it: A) faster, B) fault tolerant, or C) fasterand fault-tolerant?

If you answered “faster and fault-tolerant,” you’re correct. RAID physicallycombines several separate disks into a single logical unit, which is then logi-cally perceived and utilized by end-users as if it were a single storage volumeand not a consolidation of multiple drives. This feat requires at least special-ized software, and — at the very best — specialized hardware and softwareworking as a cohesive unit capable of handling RAID capabilities. We won’tdelve into the finely-detailed distinctions and advantage hierarchies of themany RAID variations here. Just know that software and hybridized inte-grated chipset solutions operate at nowhere near the performance and relia-bility level that dedicated add-in RAID controller cards can deliver. If you’rerunning a business that’s sustained by timely and accurate data, don’t wastetime on second-best options. Protect your data with the very best coveragemoney can buy.

That said, RAID configuration subtly influences performance as follows:

� Increased disk count improves chances of single-disk failure.

� Error Checking Code (ECC) offers reliability with performance penalties.

� Mirroring data speeds up read access but slows down write operations.

� Striping enhances performance at the cost of reliability.

� RAID system design is a constant compromise in performance and reliability.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 286

Some of the best RAID solutions support hot-swappable drives — that is, theyallow you to extract a defective drive from the array and insert a new one —while the system remains online. Less capable systems require a full shut-down and offline processing of data, which is a personal choice you makeaccording to your business needs. Hot-swappable hardware costs more andis more flexible and reliable. If continued operation and data availability areworth the added cost, look into such systems. If not, skip them.

Network access: Internal, add-in, and countsNetwork interfaces are another area in server design that tends to incorporate the power of two. Dual network interfaces integrated onto themotherboard layout are becoming increasingly common, generally withGigabit Ethernet (GbE) capability. Add-in cards also appear with two or fournetwork RJ-45 ports, each capable of servicing thousands of connections.

Network connections occur across the Internet in the millions; locally, adomestic network may generate thousands of internal connections. Individualendpoints may generate several hundred connections by themselves. The point we’re trying to illustrate here is that the number of connectionsincreases easily and geometrically in proportion to available bandwidth, linespeed, and interface thresholds. It’s better to have more operational capacityto deal with any sudden increase in processing overhead than to be under-served by under-performing hardware that just manages to squeak by undernormal load.


Much ado about memoryThere are three types of main system memory,and you might have to know which type is mostappropriate for your motherboard and processorselection. All three items must match for com-patibility purposes, so check with the mother-board for ECC support if that’s what you need.

� Unbuffered memory uses a chipset con-troller that deals directly with main systemmemory. No buffers or registers withhold

data, and unbuffered memory is the choicefor desktop and workstation computers.

� Registered or buffered memory uses addi-tional chips to delay passing of data to retainintegrity for data in transit.

� ECC (Error Correcting Code) memory pro-vides greater data accuracy and runtimedurability by preventing soft errors fromoccurring in the first place.

22_180433 ch15.qxp 2/25/08 7:50 PM Page 287

Multiple interfaces facilitate better failover servicing for high-availabilityservers and server applications. The presence of a second, third, or fourthnetwork interface enables meaningful reliability, such as the following:

� A backup network connection in the event that a primary interface fails

� Load-balancing features that help maintain optimal operational efficiencyunder heavy loads


Levels of RAIDNo discussion of RAID capability is completewithout at least a cursory breakdown and fun-damental examination of its inherent propertiesand native advantages. There are many varia-tions on the RAID theme that can easily confusethose of you who come from modest computingbackgrounds, with no real exposure to high-endstorage concepts.

A number of standard schemes, called levels,have evolved into a series of nested and (in somecases) nonstandard variations that seek to divideand/or replicate data among multiple drives toachieve increased reliability, enhanced perfor-mance, or both. The three elemental concepts toRAID include the following:

� Mirroring: The simultaneous duplication ofdata to more than one disk

� Striping: The splitting of data across severalparticipating disks

� Error correction: The native ability to detectand possibly correct data errors

RAID systems employ one or several of theseelements in combination, depending on theintended results and final application. A systemdelivering video-on-demand services may opt forstriping but not mirroring, whereas an SQL data-base server might be interested in both datareplication and striped access for speed.

Here are the most commonly used RAID levels:

� RAID 0: Minimum of two disks; striped setwithout parity for improved performance andadditional storage without fault tolerance.

� RAID 1: Minimum of two disks; mirrored setwithout parity for improved fault toleranceagainst disk errors and failure, withincreased performance toward read opera-tions but slower writes.

� RAID 2: Minimum of three disks; uses non-standard bit-level striping techniques withECC hamming parity; cost and complexitymake it impractical (see RAID 3/5 forreplacements).

� RAID 3 and RAID 4: Minimum of three disks;striped set with dedicated parity forimproved performance with fault toleranceusing a dedicated parity disk.

� RAID 5: Minimum of three disks; striped setwith dedicated, distributed parity, which cre-ates an array with fault tolerance againstsingle drive failure.

� RAID 6: Minimum of four disks; striped setwith doubly-distributed parity for fault toler-ance against double drive failure.

Also, various nested RAID levels combine manyof these features within layers. For example, aRAID 0+1 system is a mirrored (RAID 1) arraywhose segments are striped (RAID 0) arrays,which has a benefits structure similar to RAID 5.

22_180433 ch15.qxp 2/25/08 7:50 PM Page 288

� Specially screened traffic that may impose separate rules on differentinterfaces.

These are only a few concepts currently in daily use in networking environments around the world.

Case and power supplyAfter the CPU and graphics card, case design and form-factor are other crucial components in the case/power supply equation. You may have someprior experience with desktop and workstation PSU (power supply unit)designs; they’re relatively predictable and boxy and lack any truly distin-guishing features (until you get into the designer PSUs that are typically designated for gaming or enthusiast applications). However, the same sourceof power varies quite differently from most desktop and workstation units.

Much can be said about server case design without specifically citing theinnumerable examples that all qualify in this category. Server cases can bereissued desktop enclosures, or they can be special designs custom craftedfor particular environments or purposes, like Sun’s Blade servers or any 1U,2U, or 4U rack-mount design. (Space in equipment racks is measured in termsof equipment units, which translate into just under 3 inches high and 19inches wide, just right for standard rack dimensions.)

Some embedded server platforms have the dimensions of a pack of gum,whereas others are large enough to fill a 1950 Cadillac’s trunk. In any case, a server case design must include at least three major elements:

� Adequate airflow (for ventilation)

� Easy accessibility (for servicing)

� Simple extensibility or scalability (for upgrading)

These properties change from one case design to the next, incorporated inabout as many ways as there are case designers, but they remain constantfixtures for any well-crafted server case design.

Case design should reflect the motherboard and CPU choice because of the direct correlation between a suitable case and its internal components. A standard ATX form-factor motherboard won’t fit in a Mini-ITX enclosure, no matter how cleverly you repurpose all the other hardware and software to run as a server platform. There are specific, fixed mount points for everyform-factor, with only a few deviations in the arrangement of motherboardcomponents. Be sure to shop for cases in the appropriate category. Mixingand matching (for example, pairing an ATX case with a BTX motherboard or vice versa) simply doesn’t work.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 289

Server power supply units, or PSUs, are manufactured in various dimensionsand designs, some of which aren’t used in the desktop/workstation scene.Rack-mount PSUs are built in various sizes to meet small-footprint require-ments in those environments. As such, they lack the mount points for a typi-cal PSU case and are thus incompatible with conventional computer cases.Likewise, a standard workstation PSU doesn’t make a viable substitute for themuch smaller 1U, 2U, or 4U designs (all incompatible amongst themselves).Pick your form-factors wisely and consistently!

Perhaps more important is an uninterruptible power supply, or UPS, which is more important for servers than for desktops or workstations. As thepower source for any computer, a power supply provides the vital energy itneeds to operate all its parts. Without power, nothing works at all. In powersag or spike condition, this means critical business applications may not beavailable, which may not be in the best interests of your business operation.A UPS includes a built-in battery that can take over from the power companywhen power gets wonky or goes missing. (Small units usually offer 15 min-utes of reserve power, enough to shut down systems gracefully; large unitsextend that time frame and may be integrated with backup power deliveryfrom diesel or gasoline generators.)

You should consider purchasing a UPS rated for a specific load (expressed involts, amps, and watts). Such units are often guaranteed to protect a specificmaximum dollar amount of equipment. Also make note of the rated runtimefor a UPS, which varies according to the load — anywhere from 15 minutes to an hour or more. Quality UPS units also act as line or power conditionersand clean up surges or sags in power that may adversely affect connectedhardware. All mission-critical hardware running business-critical applicationsshould receive UPS coverage without question.

Use the following guidelines to calculate the power consumption needs forany given server you build or buy:

� Approximate 25 watts for every optical drive and around 30 watts forevery disk drive.

� A CPU can range between 55–100 watts, with system memory drawingaround 14 watts per 512MB memory bank. Then consider that multicorearrangements also increase this consumption from the PSU and that disk drives surge around twice their operational draw when starting up.That is part of the reason you can find disk controllers with staggeredstartup features.

� PCI add-in cards can draw around 5 watts on the low end, and some PCI-Xand even PCI-E add-in cards vary in consumption trends. If you installed a graphics card, you might also check its wattage ratings — they varybetween 20–60 watts on the low end and 60–100 on the high end.

Tally up this count and then aim for a PSU with at least two-thirds more headroom or greater.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 290

What about graphics?Indeed, what about them? Many kinds of server capacities, includingWindows Server 2008’s new Server Core installation method, can largely gowithout a proper graphics card, which is ideal anyway because who wants to spend extra money on a graphics card for a single display per server in acluster or farm formation, especially where there isn’t a proper desktop? Infact, it isn’t entirely uncommon to forego the use of expensive video adapterson many kinds of server platforms because you don’t have graphical user interfaces.

Ideally, you’d want to share at least one graphics card per several servers,even if it means having groups of servers all feeding off a single heads-up display. This can even be done remotely with server management tools andremote procedure calls, which require no graphics card on the remote end.However you want to work it is your business.

We recommend that you find either an integrated video solution for that first install or last-resort scenario and avoid buying anything fanciful or feature-rich for your server.

Important miscellany (cooler, fans, optical drive, monitor, keyboard, mouse)We haven’t yet mentioned some crucial components that are essential togood server design. For many of you, these items are no-brainers, but maybewe don’t entirely appreciate the full beauty behind some of these necessities.Even though this bit is for the uninitiated crowd, you could benefit from read-ing the following paragraphs at any experience level.

An enormous amount of processing ability comes at an enormous cost: heatbuildup. The thermal footprint of a given processor increases by surface areaand increases geometrically with the inclusion of multiple cores and largercaches. Invisible heat pockets develop in these target areas where processingis most frequent and intense: CPU, memory, network interfaces, and drives. Itis essential to cool these problem areas properly, which changes from onecase design and component build to another.

Not only are CPUs passively and actively cooled through a series of heatsinksand ball-bearing fans, but memory is now produced with heat spreaders tobetter distribute heat over a wider surface that can be cooled easier than isolated chips on the silicon surface. Fan designs for server computing tendto be larger and produce greater airflow, which automatically implies highernoise levels. This is in stark contrast to quiet-running, more efficient desktopand workstation components designed not to distract their users.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 291

Because there’s no GUI — or not much use for one — on a server, there’s nographics adapter or even a monitor, nor will you find elaborate audio inter-faces, joystick and gamepad connections, pluggable peripherals and othersuch elements, either. Likewise, peripheral input devices are much less necessary with all the centralized network-based management tools popular-ized and already present in Windows Server 2008. You should probably havea few spare keyboards and mice around in case you need to work on severalservers simultaneously, but other than that you can get by nicely with a verysmall inventory of such items.

Building a Better BudgetAnother powerful and potential cost-saving feature of Windows Server 2008 is its native operating system–level virtualization strategy. Virtualizationutilizes a hypervisor at the operating system’s kernel layer — at the verycore of the system — that can partition a single installation into several inde-pendently working parts. Enabled this way, you can experience and share asingle server hardware build among several server software instances.

There are two big caveats here:

� This functionality will not initially be part of the platform; it will actuallyarrive much later, around 180 days after the market release of WindowsServer 2008.

� It will be available to only the 64-bit (x64) versions of Windows Server2008, so be prepared to step up components (such as the CPU) and drivers (like the network interface) to capably handle x64 processing.

CPU speed is less critical on server platforms than for desktops and worksta-tions, so don’t be drawn to the idea that you need fast clock cycles to dointensive computing. You tend to get more done with two or more slower-clocked CPUs than an individual desktop processor operating at much higherfrequencies, where applications are specifically designed to multithread andproperly utilize several separate processors.

Also consider that, instead of drawing up specs for a bunch of differentservers, you can virtualize several simultaneous instances of the operatingsystem and effectively produce multiple servers from a single hardwarebuild. The basic principle at work here is to emulate a larger number ofsmaller, less capable servers using a smaller number of larger, more capableones. The budgeting trick is to figure out how to spend less money on thosemore powerful machines than you would on the combined total of a largernumber of small, less capable ones. Fortunately, this is an eminently work-able solution and explains why so many companies and organizations, large


22_180433 ch15.qxp 2/25/08 7:50 PM Page 292

and small, are making increased use of virtualization in their day-to-day operations. If you’re interested in finding out more about virtualization,check out Virtualization For Dummies by Bernard Golden (Wiley).

PC Component Shopping TipsIn the server shopping world, it sometimes pays to stay slightly behind thecurve. By that, we mean you should purchase a few steps back from bleeding-edge or latest-and-greatest parts. Reserve most of your budget for all of themost crucial system components (CPU, memory, and storage) and tweakyour leverage in those areas.

Perform a little capacity planning beforehand to get an idea of what scale ofoperation is needed. Will your network remain relatively static over a periodof months or years, or do network loads and demand change dynamically ona daily basis? Will interruptions to power or service have costly adverseeffects on business? Know in advance what sorts of challenges you face andthe sorts of solutions you desire.

When shopping for server hardware, you might notice an entire cottageindustry built around specialty applications and designs that incorporateproprietary protocols, hardware, or various combinations thereof. We recom-mend that long-term strategists stick with reputable industry leaders likeDell, Compaq, or HP instead of leaning on smaller companies that specializein proprietary solutions. That’s not to say they’re entirely bad — but whatwould happen if an up-and-comer goes belly up two years before you find outthat a critical piece of hardware needs their specialized treatment? It’s alsoby no means a bad thing to use the parts list for a commercial turnkey serverwhen picking components for a do-it-yourself server that you may seek tobuild on your own.

Also consider the footprint for any given server you build. Sure, opting forrack-mount server hardware may save you some space, but it’ll cost youmore for components specifically tailored for rack-mount use. In that regard,there’s always a substantial trade-off worth considering. Also consider thatquad-core CPUs may be more beneficial in enterprise computing environ-ments than in moderate or small office environments with up to a few hun-dred users, so you can definitely hit a point of diminishing returns with CPUspeed and numbers. However, there really isn’t a foreseeable excess ofmemory because that’s the veritable workbench upon which all significantCPU tasks and projects are completed. Maybe a trade-off in CPU clockcycles/numbers versus memory capacity is your answer.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 293

Dual network interfaces are almost a standard in today’s world, but thatdoesn’t mean you’ll always get double-duty pulling power on the wire. Youneed solid GbE capability all around to adequately sustain high levels ofbandwidth utilization, where a large part of the business environment hostsrich presentations, distance learning courses, and meetings online from anumber of remote sources. In short, there’s little justification for building 100Mbps Fast Ethernet networks when GbE is so readily available and affordable.

Assessing Windows Server 2008 Compatibility

Microsoft gives you two options to perform a quick compatibility check thatapplies equally to Windows Vista and Windows Server 2008 (because the twoopenly share a common code base). These two tests are a clean installationof Windows Server 2008 or an upgrade to Windows Vista from Windows XP(SP2) on the target hardware. If you encounter any errors, you’ll know thatyour hardware is in some way unfit for operating both Windows Server 2008and Windows Vista.

We would like to see a much stronger solution made generally available for the public to examine hardware fitness for suitability with WindowsServer 2008, but there doesn’t appear to be a straightforward answer at thetime of this writing. Currently, you can use the Microsoft ApplicationCompatibility Toolkit (ACT) to roughly gauge the compatibility for certainbuilds, even though it’s actually designed for software. You may explore theACT and other compatibility toolkits and information at the Microsoft Web site at http://technet.microsoft.com/en-us/windowsvista/aa905066.aspx.

ACT utilizes compatibility evaluators to collect application, device, and hard-ware information from your desktop without interruption to any users. It thenreturns this information for your analysis prior to deployment of Windowsplatforms. Such is the case with Windows Vista’s Hardware Assessment inven-tory tool, which examines an organization’s readiness to run Vista. Best of all,you can use one PC to investigate an entire network of Windows computersand create a comprehensive report specific to individual computers and theirrespective recommendations. ACT also has the Vista Upgrade Advisor, adownloadable Web application that helps XP users identify upgrade pathoptions, but more importantly makes suggestions as to what (if any) hardwarechanges are necessary for certain editions of Windows Vista. You may obtainthe Vista Upgrade Advisor at www.microsoft.com/windows/products/windowsvista/buyorupgrade/upgradeadvisor.mspx.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 294

There’s a huge difference between true workstation and true server hardware. What works on a workstation may work as a server, but what’sdesigned specifically for server use won’t likely work on the desktop. Usingthese Vista-specific tools only gives a false sense of readiness for WindowsServer 2008 for those of you using specialty hardware; otherwise a workstation-turned-server will do just fine with these evaluators. Perhaps theone true, time-tested compatibility evaluator really is the actual installationmedium itself. So far, it remains that way.


22_180433 ch15.qxp 2/25/08 7:50 PM Page 295


22_180433 ch15.qxp 2/25/08 7:50 PM Page 296

Chapter 16

Servers the Intel WayIn This Chapter� Intel server hardware installation step by step

� Intel CPU and motherboard selection

� Sizing up your memory requirements and disk utilization trends

� Case and power supply considerations

� Installing server hardware components

� Server software installation time

We maintain the politically correct position that there is no inherentlysuperior hardware component or server build. In our view, there’s no

need for religious debate or fanatical proselytizing about the advantages orbenefits of one platform or part over another — we generally view those whoengage in such behavior as having an agenda to push. The plain fact of thematter is this: Whatever works for you in your situation with your conditionsand considerations is the best or perfect solution — for you!

Lots of unsubstantiated claims, anecdotal advice, and assumed truths aboutserver solutions are floating around. After you discount all the superimposedmysticism, empty marketing rhetoric, and bad suggestions, there’s usuallynot much left behind. We tend to stick to what we know holds true, both universally and for ourselves.

AMD processors, whatever you may hear, are just as good for most servercomputing tasks as Intel processors. Reading about benchmarks only tellsyou about the performance ratings a given system achieves in some particu-lar test-environment scenario for an isolated set of variables and individualenhancements. What those benchmarks don’t tell you is how well-suited orwell-constructed your hardware is as it applies to your environment and itsunique conditions. Especially when it comes to entry-level or low-endservers, neither AMD nor Intel enjoys a lasting or definite advantage, perhapsapart from what readers may know best or be most comfortable with.

23_180433 ch16.qxp 2/25/08 7:51 PM Page 297

In this chapter, we offer you the build-up walkthrough on an Intel server, not that it’s that much different from our AMD procedure in the next chapter.The process is pretty much identical, although the parts are quite different.

Get geared up and ready to roll out on your new server hardware hog, easyrider. We’re about to take a Sunday cruise through the build phase.

Choosing a CPU and Motherboard FirstAlthough most of us don’t make car-buying decisions based on the engineand chassis, a well-trained computer hardware hound sniffs out these traitsmuch like a sports enthusiast shops for a Sunday speedster. You know thatonly high-performance equipment is capable of handling the power curveand dynamically changing conditions on a busy raceway circuit. In the samevein, server computers aren’t garden-variety grocery getters with a sportspackage added on; they’re certifiable performance platforms around whichall else is designed, built, and implemented.

But our analogy stops there. Unlike true sports cars, server computers usually don’t match or beat the fastest production quality products on themarket, and that’s because they don’t aim to win that kind of race. Rather,servers are the cornerstones of business computing; they’re the stable-keptworkhorses that plow the fields and sow the land. They aren’t show horsesmeant for exhibition. In fact, deep down a lot of server hardware is unassum-ing, perhaps even ugly to people who see only the most visible machinesused in business operations: workstation computers.

The short of it is, the CPU and motherboard are the most important elementsin your server foundation. They should be scrutinized and carefully selectedaccording to their business value and processing power.

Intel first stabilized low-voltage chip designs, which is one of the compellingreasons Apple Computer switched platforms from the Freescale PowerPCcore. Intel has an enormous production capacity and prides itself on creatingstable processing platforms for workstation and server computing tasks. Wesee low-voltage parts as one small stride in the direction of greener comput-ing environments, which you should consider in the design phase of yourserver build. Excess electricity and air conditioning cost more.

Low-cost Intel-focused motherboards are comparably less impressive, feature-wise, than comparable AMD-based motherboards, but they typicallyaim at more business-like uses. Even Intel’s own business-class motherboardsfollow a similar form and format: a typical green plank loaded with unassuming chips and controllers.

Newer Intel processor types typically range from the Celeron D and Pentium4 to the Pentium D and Core 2 Duo platforms, each with its own unique


23_180433 ch16.qxp 2/25/08 7:51 PM Page 298

advantages and disadvantages. There are also enterprise-worthy Xeon andItanium processor platforms for servers, plus high-efficiency Pentium andCeleron M cores and bleeding-edge Pentium Extreme Edition (EE) processorsto choose from. Each CPU has its own corresponding set of requirements forcompatible memory, core chipsets, and device controllers that provide varying degrees of capability and integrated features. That’s why you mustshop around for a platform to suit your business needs.

Intel processor packages also come in a variety of formats, sizes, andpinouts. There are pinned and pinless CPUs in 90 or 65nm die sizes reachingnearly to 4 GHz speeds, with varying on-board cache sizes. Some are even finished in 64-bit trim with dual and quad-core processing capabilities. In general, we recommend simple single- or dual-processor server mother-boards with basic graphics, ports, and connectors, with an emphasis on diskdrive support and memory capacity.

Selecting and Sizing MemoryImagine having a workspace the size of your footrest. You can build and complete small projects in it just fine. You can even complete lots of littleprojects in that small footprint over a period of time — but that’s entirely the point. Other projects are lined up, waiting to advance through the taskqueue, hoping to get processed in an orderly and timely manner. Their frequency may be regular or sporadic, occurring at any given time in variousnumbers, but every one must be completed in turn and on time.

Next, imagine you’re a factory worker assembling lots of little pieces intoslightly larger combinations that then contribute to another, much larger project that may or may not involve other completed workbench projects aswell. You couldn’t possibly assemble that massive monstrosity in your tinyworkspace! This is precisely the analogy we use to convey the working rela-tionship of your RAM to your CPU.

A large workspace offers you more than capacity: It also delivers confidencefrom knowing you can handle tasks of any size along with a large series ofsmaller, easily completed tasks, all within the same workspace, often aroundthe same time. Main system memory offers your CPU a temporary residencefor information in active use, providing room for intermediate building blocksin larger applications and processes. Imagine your server is the factory floorof a massive assembly plant where you oversee the production line. You wantall the factory floor space you can get, right?

Memory not only needs to be available in the right quantity, but it must be ofthe proper type as well. There are several types of memory, none of whichare interchangeable, all suited for particular products and specific purposes.There is memory in buffered and unbuffered flavors that can correct errorson the fly, and it’s packaged in various formats that include Rambus Dynamic

299Chapter 16: Servers the Intel Way

23_180433 ch16.qxp 2/25/08 7:51 PM Page 299

RAM (RDRAM), synchronous Dynamic RAM (DDR and DDR2 SDRAM),SODIMM (Small Outline Dual Inline Memory Module, the type used in mostnotebook PCs), and others we won’t even mention. What we will say is thatyou must be keen to match your memory selection to your motherboard and processor.

In our case, the Intel server motherboard uses two socket 771 bases andrequires buffered, error correcting (ECC) DDR2 memory that works at speedsup to 667 MHz. For that motherboard, we chose 4GB of Kingston Value RAM,pictured in Figure 16-1, and it’s an excellent bang for the buck choice rated as PC2 5300 (runs at 667 MHz).

Selecting and Sizing Disk SpaceRemember, Windows Server 2008 minimum requirements demand at least10GB — unless you’re using 16GB or more of RAM — and recommend 40GB of free drive space for server installation alone. That doesn’t include allthe extraneous applications and data you’ll invariably need, either.

Realistically, you should probably include at least two drives of at least200GB in size for system use and anywhere from three to six drives from320GB to 1TB each for data. Nowadays, pricing on SATA drives has droppedbelow 25 cents per gigabyte, so there’s no excuse for equipping a server with too little storage space.

Accessing current needs and anticipating future growthWhen you outfit your server with storage, be sure to make allowances forlong-term growth and expansion to support maximum flexibility and scalabil-ity. Only you can know what kinds of data and how much must be stored andprocessed on your servers, so make a rough guesstimate to quantify all thatdata. Let’s assume this, for example: Your server processes audio sound bitesfrom a department of journalists. These files average around 5MB per clip,

Figure 16-1:Kingston

Value RAMDDR2

memorymodules

with ECC.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 300

with a single user processing perhaps hundreds at any given time for anygiven project. If you impose a cap of 5GB (or approximately 1,000 audio clips)per user directory and you have 20 active users on that server, you require at least 100GB of storage space. Subject each key application to the samemetrics. (E-mail, project documents and spreadsheets, and graphics files mayall be sized using the same kind of approach.) Let’s say you come up with a grand total of 800GB of storage space required.

Next, assume you must mirror all these presumably valuable files so thatthey may be recovered in the event of disk failure or data corruption. Younow need 1.6TB of storage space just to house user data alone. See howeasily that adds up? And this naïve example takes into account only a narrowand specific selection of data — these same users are also likely to haveother written records, annotated quotes, reference materials, citations, andother research data stored alongside these sound bites. You also haven’t considered any video footage that may be necessary for the same user group,or taken into account other roles this same storage server may take onthroughout its lifetime.

Planning for RAID You must also plan carefully for any RAID server storage technologies youwish to employ on your server. These schemes generally require at least two disks (or some multiple thereof) and in some cases additional third orodd-numbered drives for checksum storage. There is also just a bunch ofdisks (JBOD), which creates a single logical storage volume from multiplephysical drives that you can use to expand server with different-sized drives.

For RAID use, make certain that all drives are identical (including make,model, size, and interface). There are several types of hard disk interfaces,none of them compatible, from SCSI to SATA. Some use serial connections,others parallel, but what matters is that you identify and acquire the appropriate interface type for your motherboard or add-in drive controller.

Lastly, when purchasing new drives, be aware of the distinction between our decimal definition system reference and actual disk capacity that a computer reads as a binary number. In human terms, one gigabyte equals1,000 megabytes; however, a computer sees one gigabyte as 1,024 megabytes,which makes a considerable difference at very large capacities.

Making Network ConnectionsYou must decide if your server can do its job properly using built-in networkinterfaces. (Server motherboards generally include them in pairs. OurSuperMicro X7DAE extended ATX motherboard includes two Intel-based


23_180433 ch16.qxp 2/25/08 7:51 PM Page 301

gigabit Ethernet interfaces.) Or you may need to install and use additionalEthernet interface cards instead. This would generally occur if you expectyour server to handle huge volumes of network traffic, where you could ben-efit from a TCP/IP Offload Engine, or TOE, on the interface card.

For our test purposes — and for most home office/small office situations —the built-in network interfaces are perfectly okay. Given that TOE cards usu-ally cost at least $100 each (and as much as $250) this represents a consider-able savings — but only if you don’t need the extra networking horsepower.When you do need it, such cards tend to pay for themselves pretty quickly.

Picking the Right Case and Power Supply

Cases and power supplies are generally closely associated, for multiple rea-sons. First, when you purchase a case, it may include a built-in power supply.Second, cases tend to dictate the size, shape, and set of features (or their orientation) that can or should be present on the power supply. To many, thisseems only natural because these two parts are analogous to the skeletonand the heart, crucial for sustaining form and function for other internalorgans — err, components.

Case designs vary so wildly you wouldn’t recognize many modern examplesas even having sufficient operating room for a proper server installation.Units can be as small as or smaller than your cell phone to larger than yourrefrigerator. For our build, we used a so-called bench case: It’s really an openplatform where the motherboard simply rests on the top shelf and the wireand cable cards emerge at the back. There is room underneath the top shelfand on a bottom shelf for the power supply, optical drive, and as many diskdrives as you care to stack within its confines. We also chose a quiet, capable, and efficient Seasonic S12 650-watt power supply (which retails for about $165).

For ordinary business use, most SOHO buyers purchase either mid-tower orfull-size tower cases. We’ve had good luck with the Antec Atlas and Titanmodels (which include their own power supplies in sizes from 550 to 650watts), and the SuperMicro 743T case, which has the advantage of comingfrom the same company that made the motherboard, so you can be sure of agood fit (it also includes a built-in 650-watt power supply). All of these casesretail for between $100 and $200, which is about typical for a good-qualityserver case with a built-in power supply.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 302

Building an Intel-Based Server from A to Z

Our examples in this section can be extrapolated to other server builds thatincorporate different hardware components just on basic principles. Thetechniques and procedures you may encounter when installing foreign ornonstandard hardware will vary by the product and its peculiarities, but otherwise, these concepts remain largely the same.

We selected components you might expect to encounter in a commonWindows Server 2008 networking environment. Our walkthrough is tailoredto be generic enough to follow even if you’re using entirely different compo-nents, such as SCSI rather than SATA drive interfaces or DDR instead of DDR2 memory.


Testing as you goMake sure that you’re well-grounded when han-dling any computer components. Discharge anystatic electricity that may linger on your personby grasping some unpainted metal surface suchas your toolbox, a nearby computer case, or anenclosure part. Basically, physical contact withanything grounded will draw static away fromyou and discharge safely.

Negligible though it may seem, sufficient staticdischarge can easily incapacitate hardware onfirst contact. We’ve yet to seriously damage anynew hardware ourselves, but we can attest tooccasions where all it took was a little dischargeto do a lot of damage to well-worn or in-use parts — often resulting in their premature anduntimely passing.

Grounding yourself regularly lets you test hard-ware for fit and function as you proceed throughthe build process. One common issue thatcauses initial lift-off failure is an improperly

plugged or incompletely seated component.(Memory modules are particularly prone to thiskind of fault.) Here are some areas to pay partic-ular attention to:

� Be mindful of every beginning and end ofevery cable.

� Be certain that each component connectoris correctly oriented and snug; otherwise, aslight tug — perhaps as you reach across tofix something — can dislodge and disruptyour work.

� Make sure that socketed components —memory, CPUs, and motherboards — aresnugly seated in their sockets and avoid toomuch force when checking them. (A surpris-ingly small amount of brute force, improperlyapplied, can also spell doom for fragile com-puter components, especially CPUs withhundreds of tiny and delicate metal pins.)

23_180433 ch16.qxp 2/25/08 7:51 PM Page 303

Insert the PSUOn to the power supply, or PSU, veritable heart to the host body that is aserver case. If the CPU is the brain and RAM acts as memory workspace forthat brain, the PSU is the heart that drives energy into an otherwise inani-mate server. Without its correct and proper fit, there can be no function.Critical issues arise when even a minor detail is amiss on the PSU — anunplugged connection or an under-powered voltage rail, for example. Takespecial care and pay close attention to connectors on your PSU and wherethey must plug in.

The following example assumes that your PSU is new and therefore likely tobe free of defects or malfunctions. However, this might be yet another unwar-ranted assumption — you could conceivably get through an entire serverbuild and never realize the PSU is kaput. We recommend putting the PSUthrough some formal or informal preliminary testing to make sure it deliverssufficient power. You can purchase basic CPU testers from companies likeAntec or StarTech for between $10 and $15; we urge you to do so and putthem to work when you start building.

Also consider that your motherboard and CPU selections will impose different demands and requirements on a PSU, so choose your PSU wisely.Server-specific motherboards often incorporate specialized plugs or powerinterfaces for multiple CPUs, enhanced graphics cards, and other advancedfeatures. Explore these options thoroughly before making any buying decisions, so that all three of these critical elements match up.

Follow these steps to insert the PSU:

1. Locate the mount point for the PSU.

Mount points on the case, usually indicated by threaded screw holes,should align perfectly with those bored into the PSU case. Correctlyorient these holes to properly position the PSU before inserting anymounting hardware.

2. Orient the PSU properly.

Power supplies come in a variety of shapes and sizes, so you shouldcheck for fit and identify any clearance or access issues, including cablereach. If your PSU includes an auxiliary fan on its bottom surface, withthe exhaust out the back, as shown in Figure 16-2, be sure there is adequate clearance for the fan to move airflow properly (in the bottom,out the back).

3. Securely fasten the PSU in place.

It doesn’t matter what pattern you follow when screwing in the mount-ing hardware; we prefer making an X pattern, traveling diagonally tomount and tighten screws. Never tighten them enough to deform themetal enclosure or server case material.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 304

4. Plug the primary 20- or 24-pin power plug into its socket.

This is by far the largest and most recognizable plug on the PSU harness.You should have the proper PSU selection for your motherboard.

5. Optionally, bind each of the cables.

This enables better airflow and encourages a clean workspace for otheradministrators, integrators, or technicians who may do follow-up workinside the case.

Seat the CPU and coolerEasily, the most expensive single-item purchase is the CPU; that goes doublefor dual-CPU rigs like the one we chose for our build. The CPU also happensto be the least accessible component in a completed system build because toget at it you must open the case and remove the cooler (which sometimesposes its own unique challenges) to expose it to view. We’ve encounteredsome coolers that required removing some or all of the nearby hardware,including magnetic and optical drives, socketed memory, and add-in cards.You perform all that work, just to free up sufficient work space around thecooler so that it can be dismantled, removed, and the CPU made accessiblefor service.

Ideally, you should install the CPU and cooler onto the motherboard beforeaffixing the motherboard inside your server case. It’s much easier to ensureproper placement and adequate workspace for tools when your movementisn’t restricted by interior elements of the server case and other neighboringcomponents. Usually the CPU has a small footprint, so pulling or placing oneinto its socket is a non-issue; however, coolers aren’t nearly as predictable as

Figure 16-2:A power

supply unitwith a largeauxiliary fan

resting onits top

surface,exhaust

outletshowing at

the front,intake fan at

the top.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 305

CPUs. Some designs are either so large or the case so cramped that workingin a confined space is virtually impossible, so please heed our advice — it’s based on painful experience.

Depending on the make and model of your CPU, there may be delicate pinson its underside or integrated into the CPU socket itself. This latter design is a more modern concept that presumably saves on replacement costsbecause a single server CPU at market price can cover the cost of severalserver-worthy motherboards. In short, if you bend a pin out of place on aCPU socket, you must replace a less expensive motherboard; force the CPU into place and bend some pins, and you must pay for a more expensiveprocessor, if you can’t gently persuade those pins back into alignment.

Seating the CPUTo seat the CPU, follow these steps:

1. Locate the CPU socket.

Specialty designs often feature multiple sockets for multiple processors,so you may in fact identify several sockets. Primary and secondary sockets on the motherboard may be protected by a graphite-coloredplastic shield, which should be removed for installation, that protectsthe CPU socket from incidental damage.

Take a look at Figure 16-3, where we show two Intel Xeon 5000-seriesprocessor sockets on an Intel server motherboard.

2. Check the CPU socket.

Modern CPU sockets are frail enough that they can break on the slight-est provocation, and the only surefire fix is motherboard replacement.Don’t be clumsy or overly forceful when examining the socket fordefects, or when seating the CPU in a later step. CPU handling calls for a careful, delicate touch.

3. Unlatch and uncover the CPU socket.

The socket will be guarded by a pressure plate and latching swing arm.You should be gentle when working with the latch. It should never bindor demand significant exertion to operate. Closely observe Figure 16-4,where we unlatch the arm that holds a tension plate over the CPU tokeep a snug fit.

4. Check for proper CPU orientation.

Also check that the CPU is free from defect in workmanship or finishquality to avoid complications later during the build.

5. Socket the CPU.

Work the CPU gently into its socket; it should fit into place without much pressure or persuasion. Don’t force it to fit; any resistance shouldprovoke immediate action, which means repositioning the CPU into itscorrect orientation.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 306

6. Repeat Steps 1 through 5 as necessary for multiple CPUs.

7. Identify motherboard power plug points for the CPU.

The appearance and arrangement will change from one motherboard tothe next. In most garden-variety single-processor boards, you’ll have a 4-pin auxiliary cable plug situated near the CPU. This is a main (and necessary) source of power for the CPU. Multiple-core motherboardsmay have several such plugs; sometimes they require a special 8-pinplug instead, as with our SuperMicro X7DAE motherboard. See Figure 16-5.

Figure 16-4:Unlatching

theprocessor

socket armon a

mother-board.

Figure 16-3:Intel Xeon

CPUsockets on aSuperMicro

X7DAEmother-

board.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 307

Seating the coolerFollow these steps to seat the cooler into its socket:

1. Locate the cooler mount points.

Identify placement for the cooler, noting any retention brackets, retainerclips, or pilot holes that correspond to the cooler hardware assembly.Also observe placement of the power connector for later use.

2. Dry-fit the cooler once.

A dry-fit approach lets you check any clearance issues you may havewith access or placement of the CPU and/or its cooler. Situate your CPUinto the socket, but do not mount it in place yet.

You should dry-fit the CPU cooler into its socket at least once to learnthe proper fit and orientation.

3. Check its orientation and airflow path. You may have to opt for a lessfavorable or reversed orientation to achieve optimal airflow.

4. Inspect the underside of the CPU cooler. Check for a patch of grayish,silvery, or whitish thermal paste underneath the copper or aluminumbase. Where there isn’t already one, you’ll have to apply thermalpaste, which we recommend be spread directly atop the processor.Follow these steps:

a. Remove the CPU from the socket and set it on top of a folded-uppaper or cloth towel or a foam pad.

b. Apply a thorough, consistent layer of thermal paste. Use a credit cardor business card to smooth the paste into a thin layer that covers theentire top of the CPU package.

c. Reseat the CPU into its socket.

If you need to apply thermal paste, use either a manufacturer-suppliedsingle-shot portion or some other source for thermal paste. It oftencomes in plastic syringes from which you can extrude just a dab andthen use a business or credit card to spread a thin, smooth layer across

Figure 16-5:CPU power

socket, ofwhich theremay be one

or more,depending

on thedesign.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 308

the surface. We’re fond of the Arctic Silver brand, a well-known andwidely used thermal paste.

5. Securely fasten the cooler mount plate to the motherboard.

Retention clips or a retainer bracket may interface with the mother-board and cooler; assemble these in their correct orientations. There’salmost always some clamp or screw that keeps the cooler securely in place.

6. Connect the cooler power cable (see Figure 16-6).

Never omit this step or intend to connect it later — this isn’t a minordetail that you can leave unfinished or overlooked. Otherwise your CPUwill get overcooked!

Our setup, pictured in Figure 16-6, shows that we have one power plugsituated catty-corner just outside our main processor socket on the Intel motherboard.

Seat the RAM modulesMemory modules all have their own distinctive and predictable footprints,and their actual formats can change in subtle ways that require a keen eye. For example, discriminating DDR from DDR2 memory takes a bit of basic product knowledge; differentiating ECC or registered from unbufferedmemory takes a keen eye and strong product knowledge. We don’t expect you to have that ability. Leave that for the propeller heads and, at the veryleast, the retail associates and sellers of such hardware.

Figure 16-6:CPU coolerfan power

plug locatedon an Intel

servermother-

board.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 309

You should already know what kind of RAM works with your CPU and motherboard. There are some dangerous (read: fiery) incompatibilities thatcan arise from mixing memory rated for different interfaces at different voltages. And despite the fact that memory designers and circuit engineerstry to make it difficult to plug the wrong component into the wrong socket,some ingenious installer invariably finds a way to do so with lethal effect (for the RAM, not the installer). Pay attention to what you’re doing.

To seat RAM modules, follow these steps:

1. Locate the RAM banks.

Long, parallel rows of memory sockets stretch alongside or nearby theCPU socket.

2. Identify socket keying for orientation.

Memory and memory banks are keyed for a specific fit and orientation.Carefully observe which way the memory fits. Selecting the propermemory type from the very beginning ensures no complications here.Match up the short segment of pin on the module with the short segment in the memory socket, and you’re ready to go.

In Figure 16-7, we install DDR memory into the Intel motherboard for our two-way Intel Pentium processors. Our memory banks on thismotherboard aren’t color coded in a manner that visually indicatesmatched banks, but some motherboards employ color-coding for yourconvenience.

3. Unlatch the toothed latches on each socket.

Each latch tooth corresponds to a groove cut into the sides of thememory module. These teeth lock into place to hold memory securelyinside the socket.

4. Gently press the memory modules into place.

Memory should slide into the socket with little resistance. You shouldnever force-fit memory modules because they can break under pressure.If you encounter any resistance, rotate and retry.

Figure 16-7:Banks of

memory inour Intel

servermother-

board.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 310

5. Repeat Steps 3 and 4 for multiple modules or multiple processormemory banks.

In a multiple-socket motherboard, you’ll have to make special considerations as to how much memory you allocate per processor.

Install the hard disk drivesDisk drive formats haven’t really changed much over the years. Disk plattershave gotten increasingly dense while the overall width has remained constant.The interfaces have gone through many fundamentally different changes thatboth enhance and better the lifespan of our most precious storage long-termvolumes, but overall the procedure for installing them remains unchanged.

Whether your hardware includes SCSI, Parallel ATA (PATA), or Serial ATA(SATA) cabling, it’s all the same: You install a cable between the drive and the controller. It’s really as simple as that. For the purposes of this demon-stration, we use SATA because our motherboard (pictured in Figure 16-8)includes a SATA controller with connectors. But you can mentally substitutewhatever interface you’re currently working with and follow along with these steps:

1. Locate the nearest appropriate disk drive bay.

Disk drive bays are generally cages of stacked 3.5-inch drive slots thatappear much smaller across than do 5.25-inch accessory drive bays.These may be self-contained cages capable of being extracted entirelyfrom within the case, or they may use fixed or removable drive mounts or rails.

2. Identify the nearest drive connector.

Figure 16-8:SATA drive

controllerconnection.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 311

Sometimes the best slot isn’t in the most convenient or accessible loca-tion. Avoid stretching the drive cable. Reposition the drive as necessaryto achieve an optimal distance from its controller connection.

3. Insert the disk and fasten securely.

Slide the drive into its slot. It should take no persuasion. Be sure to usethe screws that came with the drive because they’re properly threaded,and never over-tighten any fastening hardware. An inappropriate threadcount can strip the drive threads and lock the fastener in place ordamage overly-tightened mount points.

4. Cable the drive to the motherboard.

Always utilize the first drive slot designation — usually indicated asIDE0/IDE1, SATA0/SATA1, or SCSI0/SCSI1. (Check your motherboard reference manual.) Link all additional drives in sequence on the controller or motherboard, whichever is the intended target.

5. Connect the drive to the power supply.

The standard power connector is a 4-pin Molex type that featuresbeveled edges on only two corners so that you can never plug it in wrong. For SATA drives, a keyed power connector may be usedinstead. (It’s also oriented to resist improper hook-ups.)

Install the optical diskAs with magnetic storage, little has changed so significantly that you’ll findthis new encounter unfamiliar. An optical disk, for all its apparent qualities,appears either as a tray or slot-loading device with an activity light (or several) and at least one button (eject) and possibly some decals (indicatingdrive capability and type).

Whatever underlies that façade can change randomly, for all we know —that’s one yard we hardware hounds tend not to dig holes in. As long as wekeep connecting their cables in a predictable, adaptable fashion, we don’tmuch care either. Here are the steps for installing an optical disk:

1. Locate the nearest appropriate optical drive bay.

In a multiple-slot or tower configuration, we recommend placement furthest away from nearby heat-producing parts. This can even meanstaggering drive placement between slots (leaving an opening betweeneach drive) so that heat has less chance to pocket and build up.

2. Check for proper fit.

Whether going in from the front or pushing through the back, perform adry-run once through so you can identify any potential hang-ups. Thismay include removing a faceplate or shield, clearing an obstruction, or


23_180433 ch16.qxp 2/25/08 7:51 PM Page 312

relocating the drive. Also make sure all your drive mount holes line upproperly.

3. Insert the drive into the bay.

It should slide easily and freely into place with little persuasion.

4. Fasten the drive securely in place.

Again, don’t over-tighten the screws so that they deform any softer parts.


Identify the proper slot for your drive, typically not the first channel onthe first drive controller bank of the motherboard. Drive connections onthe motherboard are numbered sequentially from first to last, and werecommend you not interleave hard drives and optical drives.

When using an on-board RAID controller, use only those drives specifi-cally involved in the RAID array on that controller. Where there are twoseparate controllers, use one RAID-specific setup for optical drives andthe other for hard disks, no matter how many plugs may remain unusedon the hard disk array.

6. Cable the power supply to the drive.

After establishing all other steps, connect power to the drive. Ensureproper fit.

Set up the hardwareAfter you have all the hardware seated, cabled, and primed for action, youcan begin your crucial first boot-up. Assuming that you plugged in everycable and included every component, the system should at least show youthe initial Power-On Self-Test (POST) warm-up phase — it’s like calisthenicsfor computers.

If nothing happens, you should check your power source. Or if you observe alittle activity and then nothing, that indicates some sort of component incom-patibility or a faulty power source (among other possible causes). If you hear any beep codes, be aware that they provide audible indicators for vari-ous sorts of operational issues — memory isn’t seated correctly, the CPU ismissing or can’t be detected, or a USB drive is plugged in and just isn’twanted there.

Barring any such complications, you’ll be presented with a startup screen.This may flash instantly before your eyes, but hopefully you get a chance tosee whatever key sequence is necessary to trigger the BIOS setup screen.From here, you must make all the necessary server-specific changes to set-tings that require them — such as any ECC memory settings, CPU identifiers,and the initial boot order. This is important for the next step, where youinstall Windows Server 2008.


23_180433 ch16.qxp 2/25/08 7:51 PM Page 313

Install the OSWe cover more detailed instructions governing the installation process, with a qualifying explanation of the entire procedure, in Chapter 5. There area number of ways you can install Windows Server 2008 (or upgrade from an eligible software platform), so we can’t reasonably cover them all. Here’s a synopsis for the straightforward process, as described more thoroughly in Chapter 5.

If your server will include an earlier version of Windows kept alongsideWindows Server 2008, install it first. This permits the Windows Server 2008boot manager (which uses boot configuration data, or BCD, stores) to identify and utilize that installation.

After you complete the Initial Configuration Tasks setup (Chapter 6), spendsome time getting to know the Server Manager interface and all its functional-ity. You’ll be spending a considerable amount of your administrative time onthe server managing, monitoring, and modifying attributes through this interface. Don’t be afraid of trying new installation methods, either. You’lleventually want to perform a remote network install, an unintended install, or perhaps both. Try everything at least once!

Ready to Rock-and-Roll?We’ve walked you through the process of installing the server hardware andsoftware necessary for your first build, which we assume went smoothly. Thenext step is to purpose this server for your network and all its users by includ-ing features and functions that are vital to sustaining your business processes.

Now that you have your server hardware assembled and operating under the control of Windows Server 2008, you’re ready to start adding users, network roles, and server responsibilities. Prepare to begin operation as anewly-fledged server administrator!


23_180433 ch16.qxp 2/25/08 7:51 PM Page 314

Chapter 17

Servers the AMD WayIn This Chapter� AMD server hardware installation step by step

� AMD CPU and motherboard selection

� Sizing up your memory requirements

� Sizing up your disk utilization trends

� Case and power supply considerations

� Installing server hardware components

� Server software installation time

As explored in more detail in the preceding chapter, we maintain anobjective view regarding the relative advantages and benefits of Intel

and AMD processors, including server models. At some times, Intel mayenjoy an apparent advantage, at others, the balance tips toward AMD. Buteither way, when you’ve made your choice, you must live and work with the resulting system, and that’s when the real effort gets underway.

To us, what’s most important is an easy trio to remember. We call them thethree Cs:

� Comfort refers to what you know and are familiar with and rests on thetendency, that all humans share, to repeat successful or positive experi-ences. Those who know Intel best usually stick with what they know,and those who know AMD best do likewise.

� Cost lets budget limits or thriftiness come to the fore. We know plenty of system builders and buyers who have opted to go with what they perceive to deliver the best bang for the buck at the time of purchase,even if that means leaving comfort behind to try something new.

� Convenience addresses the tendency to build or buy what’s most readily available and, therefore, easiest to come by.

As you make your own server selections, whether you’re choosing compo-nents to build a server yourself or evaluating turnkey server systems, you’llfind all three Cs coming into play at one time or another. Comfort usually

24_180433 ch17.qxp 2/25/08 7:51 PM Page 315

governs the big decisions (motherboard and CPU); cost usually governs howmuch you’re willing to spend on parts both big and small; and convenienceinvariably rules when you put everything together and discover you needanother fan, some cables, or other miscellany.

In this chapter, we offer you a build-up walkthrough on an AMD server, notthat it’s terribly different from the Intel procedure discussed in the previouschapter. We discuss component selections and take you through the assembly process.

Choosing the CPU and Motherboard FirstAs in the previous chapter, we maintain that choosing a motherboard andone or more CPUs to populate it are the key elements in any system build.After you’ve chosen those items, everything else follows naturally and nicelyfrom that decision.

What we chose for our example buildFor our AMD build, we selected a dual-processor motherboard with two mid-range processors from the company’s second-generation dual-core Opteronfamily in its value-priced 2000 series — namely, two Opteron 2114 CPUs and a Gigabyte GA-3CCWV-RH motherboard to match.

Interestingly, the Gigabyte motherboard costs between $280 and $320 as we write this chapter — about $100–120 less than the SuperMicro X7DAE featured in the preceding chapter. The 2114 is a 2.2 GHz dual-core processorthat retails in the neighborhood of $215, while the Intel 5110 we chose in thepreceding chapter retails for about $220 and runs at 1.6 GHz. Thus, our AMDsystem clocks at about 30 percent faster and costs $110–130 less. GivenIntel’s commanding market position, especially in the server market, this is a very typical situation, where AMD comes out slightly ahead in price performance, and Intel comes out ahead in options and availability.

Exploring your optionsAn AMD CPU’s real advantage — insofar as we’re concerned here — is usuallyits price point. Apart from that difference, however, we find no significantadvantage or disadvantage that should persuade you for or against AMD orIntel. We don’t really care, as both are excellent choices. You just can’t losegoing either way.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 316

AMD processor packaging appears in a few variations, depending which seg-ment of the market you shop within — recent, near recent, or not-so-recentpast. Today’s server-worthy AMD processors range from 754 to 939 and 940pinned sockets to a more recent unpinned socket AM2 design, all of whichrequire different processors, memory types, and — in some cases — analmost entirely different component selection. As we write this chapter, themarket includes K8 processor cores, which include everything from rock-solid server Opterons to cutting-edge desktop Athlon 64 FX processors andthe low-cost Sempron and mobile Turion processors. Most of these come in32-bit and 64-bit models, where some include dual-core processing, withquad-core models coming to market for the first time ever from AMD.

AMD processor dies also range from the relatively standard 90nm unit size to a smaller, more efficient 65nm unit size. Herein lies a crucial distinction: A smaller unit size is geared toward higher energy efficiency, which lessensthe financial burden and overall power consumption impact on your businessor organization. This can be a significant advantage for large-scale operationslooking to reduce their operational energy footprint to conserve long-term costs owing to cumulative excessive heat build-up and increased cooling costs.

The logic that drives high efficiency circuitry works like this: It’s okay to paymore for a lower-powered part upfront because you’ll save more money inthe long run on energy costs. Thus, for example, the Opteron 2114 we chosefor our build also comes in a high efficiency model, the Opteron 2114 HE. The standard part is rated at 95 watts while the HE part is rated at 68 watts,indicating that, cycle for cycle, the HE part consumes about 30 percent lessenergy than the standard model. The price differential is a mere $20 or so andargues strongly in favor of buying a more power-efficient part not onlybecause it saves energy but also because lower power consumption meanscooler operation and a longer device lifetime.

Perhaps the most significant point to bring up is that when buying a server-oriented (as opposed to workstation-oriented) processor and motherboardcombination, you’ll generally have to step up all other parts to match, whichcosts more. If you want strong results on a smaller scale or at a lower pricepoint, opt instead for high-end desktop components that also work as server hardware.

Selecting and Sizing MemoryOur Gigabyte GA-3CCWV-RH motherboard houses two Opteron 2000-classserver processors, which require DDR2 ECC memory. That’s the kind we mustuse. Because we’re installing the 32-bit version of Windows Server 2008, weopt for two 2GB modules, the maximum memory that the 32-bit version supports.

317Chapter 17: Servers the AMD Way

24_180433 ch17.qxp 2/25/08 7:51 PM Page 317

Selecting and Sizing Disk SpaceWe repeat the same choice we made for the Intel build in Chapter 16 —namely, two 320GB Seagate 7200.10 perpendicular magnetic recording (PMR) hard disks. These offer an unbeatable combination of speed, quiet,and affordability (at about $80 each as we write this chapter). A productionserver build would probably add three or four more such drives, if not bigger ones. (The 7200.10 models also come in 400, 500, and 760GB sizes at prices in the $100, $120, and $210 range, which makes the 500GB modelsbest buys in this product family.)

Making the Network ConnectionsAs with the Intel motherboard in Chapter 16, the GA-3CCWV-RH mother-board includes two GbE RJ-45 ports in its rear port block. For most smalloffice/home office environments, this is more than sufficient network connec-tivity. Only if you’re serving a large number of users or hosting extremely network-intensive applications or services on your server will you need morenetworking horsepower. In that case, you’ll want to investigate PCI or PCIe-x1network interface cards with TCP/IP Offload Engine (TOE) capabilities. Thesegenerally retail for $100 to about $250 each for single- or dual-port GbEmodels. If you need them, you’ll generally not be bothered much by the extra expense they entail.

Picking the Right Case and Power Supply

Cases and power supplies are closely linked for at least two reasons:

� When you purchase a case, it often includes a power supply.

� It’s important to make sure that the case accommodates the type ofpower supply you wish to use. This won’t affect your choices much ifyou build in a standard mid-tower or full-sized tower case, as we recom-mend — in that case, any modern ATX 12 V power supply rated at 550watts or higher should do the trick. But if you’re building in any kind ofcompact or rack-mount enclosure, matching PSU and case becomes averitable mandate.

Please consult the section on case and power supply in Chapter 16 to get ourrecommendations for some good server cases in the $100–200 price range.Other good case vendors include Cooler Master, Thermaltake, and Athena Power.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 318

Construction from A to ZOur illustrated examples in this section can be applied to other server buildsutilizing different hardware just on basic principle. The techniques and pro-cedures you may have to call upon when installing foreign-made or nonstan-dard hardware will vary according to each product and its peculiarities, butthe underlying concepts and sequence covered here remain largely the same.

We selected components you might expect to see in a common WindowsServer 2008 networking environment. Our walkthrough is tailored to begeneric enough to follow along even if you’re using entirely different compo-nents, like SCSI instead of SATA drive interfaces or DDR instead of DDR2memory.

Insert the PSUOn to the power supply. You’ll begin by installing it inside your case, andthen routing power leads to the motherboard connections. Before you doanything else with it, however, you may want to pick up a cheap PSU tester(models usually cost from $10 to $15 and plug into the same 20- or 24-pin connector that serves as the motherboard’s primary source of juice) andcheck to make sure your PSU works properly. A green light at this stagesimply means you can expend the time and effort necessary to mount thePSU inside the case and start stringing power leads.

The steps that follow assume that the PSU is new and therefore relatively freefrom defect or malfunction. However, this is yet another unsafe assumption —you could conceivably get through an entire server build and never realizethat the PSU is defunct. We recommend putting the PSU through some formal or informal preliminary testing to make sure it at least delivers sufficient power.

If you buy a power supply rated at 550 watts or higher, it’ll generally includethe kinds of power leads you need for a server motherboard. (Generally, this requires a 20- or 24-pin ATX lead plus either a 4-pin or 8-pin motherboardlead, if not both varieties.) All of the 550-watt power supplies we looked atwhile researching this book (which included models from Gigabyte, Corsair,Zalman, NorthQ, Sea Sonic, and Antec) included at least two 4-pin leads, two6-pin leads (used for SLI and CrossFire dual graphics card setups), and atleast one 8-pin lead for auxiliary motherboard power. We reused the samepower supply for our AMD system that we used for our Intel system —namely, a Sea Sonic S12 650-watt power supply (retails for about $145). Hereare step-by-step installation guidelines:


24_180433 ch17.qxp 2/25/08 7:51 PM Page 319

1. Locate the mount points on the PSU and case.

Mount points on the server case, usually indicated by threaded screwholes, should align perfectly with those bored into the PSU case. Orientthese holes to properly position the PSU before inserting or tighteningany fasteners. You may also want to look at sound insulation kits forPSUs available from vendors like Antec. These cost less than $15 andinclude silicon dampening materials on the mounting screws, as well asa form-fitting silicon gasket that slips between the PSU and your case.These serve to eliminate metal-to-metal contact and eliminate noise thatvibration might otherwise induce.

2. Orient the PSU properly.

Power supplies come in any number of treatments and a variety ofshapes and sizes, so you should check for fit and identify any clearanceissues including cable reach. If your PSU includes an auxiliary intake fanunderneath, as most of them do, be sure there is adequate clearance forthe fan to draw air into the PSU inside the case and for it to exhaustwarm air out the back of the case.

3. Securely fasten the PSU in place.

It doesn’t matter what pattern you follow when screwing in the mount-ing hardware; we prefer making an X pattern, traveling diagonally toinsert and tighten screws. Never tighten them enough to deform theenclosure or server case material.

4. Plug the primary 20- or 24-pin power plug into its socket on the motherboard.

This is by far the largest and most recognizable plug on the PSU harness.Your PSU should include all the power cables your motherboardrequires.

5. Optionally, tie each of the cables down.

This enables better airflow and encourages a clean workspace for otheradministrators, integrators, or technicians who may do follow-up workinside. It’s also a good idea to coil up unused cable strands next to thePSU, and then use cable ties to secure them out of the way as much as possible.

Seat the CPU and coolerEasily, the most expensive single-item purchase for any computer is its CPU.For the motherboards we chose for these chapters, that goes double becauseeach one accommodates two processors. The CPU also happens to be theleast accessible component in a completed system because you must openthe case and then remove the cooler to get at this device. We’ve encounteredcooler designs that required us to remove some or all of the nearby hardwarecomponents, including magnetic and optical drives, socketed memory, and


24_180433 ch17.qxp 2/25/08 7:51 PM Page 320

other adapter cards, just so we could get the cooler out and get at the CPU.That’s a lot of extra work just to do what’s really necessary. Try to pick thesmallest workable cooler, and you probably won’t have to go through suchcontortions yourself.

Ideally, you should install the CPU and cooler onto the motherboard beforeit’s seated inside the server case. It’s much easier to mount these parts when you have adequate workspace for tools, and when your movement isn’trestricted by interior elements inside the server case and other neighboringcomponents. Usually, the CPU has a small footprint, so pulling or placing one into its socket is easy. Coolers are nowhere near as predictable as CPUs.Some coolers are either so large or the case so cramped that working in confined spaces is virtually impossible, so please heed our advice — it’sbased on prior, painful experience.

Installing the CPUDepending on the make and model of your CPU, it may include delicate pinson the underside of the processor die. Otherwise, such pins may be integratedwithin the CPU socket. Either way, you want to proceed with care and cautionwhen seating, socketing, and locking the CPU into place. This is an extremecase, where a little brute force improperly expended can result in majorreplacement expenses, whether for a new CPU or another motherboard.

Here’s our step-by-step guide for CPU installation:

1. Locate the CPU socket.

Specialty motherboards often include multiple sockets for multipleprocessors, so you may identify several sockets. Some primary or secondary sockets on the motherboard may be protected by a graphite-colored plastic shield, which must be removed prior to installation, thatprotects the CPU socket from incidental damage.

Take a look at Figure 17-1, where we zoom in on the AMD Opteronprocessor socket on a Gigabyte server motherboard.

2. Check the CPU socket carefully.

Modern CPU sockets are sufficiently frail to break at the slightest provocation, where the only surefire fix is total replacement. Don’t beclumsy while examining the socket for defects or problems.

3. Unlatch and uncover the CPU socket.

The socket will be guarded by a pressure plate and latching swing arm.Be gentle when working the latch; it should never bind nor require significant effort to operate.

4. Check for proper CPU orientation.

Also check that the CPU itself is free from defects in workmanship orfinish to avoid complications much later during the build.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 321

5. Socket the CPU.

Work the CPU gently into its socket; it should drop into place withoutmuch pressure or persuasion. Never force the fit; any resistance shouldprovoke immediate action, which usually means repositioning the CPUin the correct orientation.

6. Repeat Steps 1 through 5 as necessary for multiple CPUs.

7. Identify motherboard power plug points for the CPU (see Figure 17-2).

The appearance and arrangement of this will change from one mother-board to the next. In most garden-variety single-processor boards, you’llhave a 4-pin auxiliary cable plug situated nearby the CPU. This is a main(and necessary) source of power for the CPU. Multiple-core mother-boards will have several, sometimes requiring a special 8-pin plug. SeeFigure 17-2 for an example. (In the figure, note the 4-pin cover designedto accommodate older 20-pin ATX cables; for modern 24-pin PSUs, youmust remove this as well.)

Figure 17-2:The 8-pin

CPU powersocket is

next to the24-pin

mother-board

power plug.

Figure 17-1:AMD

OpteronCPU socket

on aGigabytemother-

board.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 322

Installing the coolerFollow these steps to install the cooler:

1. Locate the cooler mount points.

Identify placement for the cooler, noting any retention brackets, retainerclips, or pilot holes that correspond to the cooler’s hardware assembly.Also observe placement of the cooler’s 3- or 4-pin fan power connectorfor later use.

2. Dry-fit the cooler once.

A dry-fit approach lets you check any clearance issues you may havewith access or placement of the CPU and/or its cooler. Situate your CPUinto the socket, but do not mount it in place yet.

You should dry-fit the CPU cooler into the socket at least once to learnits proper fit and orientation. Check its orientation and airflow path. Youmay have to opt for a less favorable or reversed orientation to achieveoptimal airflow.

3. Inspect the underside of the CPU cooler.

Check for a patch of grayish, silver, or white thermal paste beneath thecopper or aluminum base. Where it’s absent, you will have to apply thermal paste yourself, which we recommend you smear directly ontothe processor. Follow these steps:

a. Remove the CPU from its socket and place it gently on a paper orcloth towel to protect delicate pins or contact points on its bottom surface.

b. Apply a thin, consistent layer of thermal paste.

A couple of small blobs in the middle is usually enough, which youmust spread out into a thin, smooth layer that covers the entiretop surface of the CPU package. Use a credit card or cardboardbusiness card to smooth the paste into a thin, even layer.

c. Reseat the CPU into its socket.

If you need to apply thermal paste, use either a manufacturer-suppliedsingle-shot portion or some other source for thermal paste. It oftencomes in plastic syringes from which you can extrude just a dab andthen use a business or credit card to spread a thin, smooth layer acrossthe surface. We’re fond of the Arctic Silver brand, a well-known andwidely used thermal paste.

4. Securely fasten the cooler mount plate to the motherboard.

Retention clips or a retainer bracket may interface with the motherboardand cooler; assemble these in their correct orientations. There’s almostalways some clamp or screws to keep the cooler securely mounted.

5. Connect the fan power cable to the CPU fan block on the motherboard.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 323

Never omit this step or leave it for later — this isn’t a minor detail thatyou want to leave unfinished or overlooked. Otherwise, your expensiveCPU could wind up overcooked!

Our setup, pictured in Figure 17-3, shows one of the CPU fan powerblocks situated just behind the main power plug on the Gigabyte moth-erboard. To power up the fan, simply slide the 3-pin connector over thethree rightmost pins in the 4-pin block. (It’s made to accommodate both3- and 4-pin CPU fan power leads.) We chose a pair of common and popular Zalman CNPS 7000 coolers for our two Opteron processors;these retail for about $40 each.

Seat the RAM modulesMemory modules all have distinctive and predictable footprints, but theactual format can change in subtle ways that require a keen eye to spot. Forexample, differentiating DDR from DDR2 memory takes a bit of basic productknowledge; differentiating ECC or registered from unbuffered memory takes akeen eye and strong product knowledge. We don’t expect you to have thatsort of ability. Leave that one for the propeller heads and at the very least theretail associates and sellers of such hardware.

By doing your homework in advance, you should’ve already identified andobtained appropriate RAM for your motherboard. There are some dangerous(read: fiery) incompatibilities that can arise from mixing memory rated fordifferent interfaces at different voltages. And despite memory designers’ andcircuit engineers’ best efforts to make it difficult to plug the wrong compo-nent into the wrong socket, some ingenious installers invariably find someway to do it, sometimes with lethal effects to the hardware itself. Please payattention to what you’re doing.

Figure 17-3:CPU coolerfan power

plug on theGigabyte

servermother-

board.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 324

The quickest way to make sure everything is copasetic is to put the memorymodule next to the memory socket and make sure that the slots in the middleline up exactly. If so, please proceed with the following step-by-step guide; ifnot, get the right RAM and try again!

1. Locate the RAM banks.

Long, parallel rows of memory sockets stretch alongside or nearby aCPU socket.

2. Identify socket keying for orientation.

Memory modules and memory banks are keyed for a specific fit and orientation. Carefully observe which way the memory fits (or doesn’t).Selecting the proper memory type from the get-go ensures no complications here.

In Figure 17-4, we install DDR memory into the Gigabyte motherboard forour two-way AMD Opteron processors. This board contains color-codedmemory banks as a visual indicator to match rows where you shouldinsert the memory, which is by no means a standard feature. This letsyou take advantage of the performance boost that dual-bank memorycan deliver.

3. Unlatch the toothed latches on each memory socket.

Each tooth corresponds to a groove fashioned into the memory module.These teeth lock into place to keep memory secure in the socket.


Testing as you go . . . reduxIn Chapter 16, we exhort our readers to groundthemselves before they handle any computerequipment, especially circuitry such as memorymodules or CPUs. Consider that same requestfirmly but politely stated here, too.

This time around, we want to encourage you tocheck your work at each step along the way, asit makes sense to do so. A minimal operationalPC consists of a power supply, motherboard,processor, and cooler (or multiples thereof, as onthe server boards in these chapters), andmemory. After you stick them inside your caseand hook up the power and reset leads, youshould flip the power switch and see if the boardlights up and the cooler fan(s) begin to spin. If so,you can keep on building. If not, you need to

check your connections and wiring to make surethat the power leads from the PSU to the moth-erboard are all properly attached, and the con-trol leads from case to motherboard likewise.

As you complete each additional step along theway — adding disk drives, optical drives, and soforth — repeat the power-up test to see if LEDsturn on, drives spin up, and so forth. If you test asyou go, by the time you’re ready to boot up forreal, your chances of getting a splash screen anda set of POST messages will be pretty high. Thatmeans less time wasted getting the hardwareworking before installing Windows Server 2008.We think this is the right way to do it and hopethat, with practice, you’ll think so, too.

24_180433 ch17.qxp 2/25/08 7:51 PM Page 325

4. Gently press memory modules into place.

Memory should slide into its socket with little or no resistance. Neverforce-fit a memory module; it can break under pressure. If you encounterresistance, rotate and retry.

5. Repeat Steps 3 through 4 for multiple modules or multiple processormemory banks.

In a multiple-socket motherboard, you’ll have to make special considerationsas to how much memory you allocate per processor.

Installing hard disk drivesDisk drive formats haven’t really changed much over the years. Disk plattershave gotten increasingly dense, but overall width has remained constant.Interfaces have gone through many important changes that both enhanceand improve the lifespan of our precious storage volumes, but overall theinstallation procedure remains unchanged.

Whether your hardware includes SCSI, Parallel ATA (PATA) or Serial ATA(SATA) cabling, it’s all the same: You install one cable between drive and controller and another from a power supply cable to the drive itself. Simpleas that. For the purposes of our demonstration, we assume you have SATA;our build (pictured in Figure 17-5) includes a SATA controller. Feel free to substitute whatever interface you’re currently working with, if it’s somethingother than SATA, and follow our step-by-step guide:

Figure 17-4:It’s best to

insertmemorymodules

pairwise,each into a

same-colored slot.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 326

1. Locate the nearest appropriate disk bay.

Disk drive bays are generally cages of stacked drive slots that are narrower (3.5 inches versus 5.25 inches) than the accessory drive bays.These may be self-contained cages that you can extract from the casecompletely, or they may use a series of fixed or removable drive mounts,clips, or rails.

2. Identify the nearest suitable drive connector.

Sometimes the best slot isn’t in the most convenient or accessible loca-tion. Avoid stretching the drive cable. Reposition the drive as necessaryto achieve optimal distance from its controller connection. Consult themotherboard manual to identify where the boot drive (or mirrored pairof drives) must connect.

3. Insert the disk and fasten it securely.

Slide the drive into its slot. It should take no persuasion. Be sure to usethe screws included with the drive because they’ll be properly threaded,and never over-tighten any fasteners. A mismatched screw can strip thedrive threads and lock the fastener in place. If in doubt, try the screwson the drive before you mount it in the case, and use only screws thatthread in and out without resistance or binding.


Always utilize the first drive slot designation — usually indicated asIDE0/IDE1, SATA0/SATA1, or SCSI0/SCSI1. (Check your motherboard reference manual.) Link all subsequent drives in an orderly fashion tothe controller or motherboard, as your configuration dictates.

5. Connect the drive to the power supply.

The de facto standard power connector is a 4-pin Molex type that features beveled edges on only two corners so that you can never plug it in wrong. SATA drives tend to use modular power connectors, like theone shown above the left-hand bank of SATA controller plugs on themotherboard in Figure 17-5.

Figure 17-5:SATA drivepositioned

with left-facing SATA

connector.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 327

Installing the optical diskAs with magnetic storage technology, little has changed where optical driveinstallation is concerned. An optical disk, for its apparent qualities, appearseither as a tray or slot-loading device with an activity light (or several) and at least one button (eject) and possibly some decals (indicating drive capa-bility and type). That said, with an increasing selection of SATA-attached optical drives available nowadays, we prefer those because SATA data cablesare much more compact and easy to install than IDE data cables.

Whatever underlies an optical drive’s front panel can change randomly, for all we know. As long as those drives keep working when we cable them upproperly, we don’t much care either. Here’s a step-by-step guide to opticaldrive installation:

1. Locate the nearest appropriate optical drive bay.

In a multiple-slot or tower configuration, we recommend placing youroptical drive as far away as possible from heat-producing parts, such asdisk drives. This often means staggering drive placement across slots(leaving an opening between drives) to give air more room to circulatewithin the server case.

2. Check for proper fit.

Whether going in from the front or pushing through the back, make adry-run to identify potential hang-ups. These may include removing afaceplate or media tray shield, clearing obstructions, or relocating thedrive to a different 5.25-inch bay. Next, make sure all your drive mountscrew holes line up with slots or mount points in the case.

3. Insert the drive into the bay.

It should slide easily and freely into place with little persuasion.

4. Fasten the drive securely in place.

Again, don’t over-tighten the screws; snug is good enough.


Identify the proper slot for your drive, typically not the first channel onthe first drive controller bank of the motherboard. Drive connections onthe motherboard are numbered sequentially from first to last, and werecommend you not interleave hard drives and optical drives. If you’reusing IDE cables, don’t connect a hard drive and an optical drive to thesame cable.

When using an on-board RAID controller, use only those drives specifi-cally involved in the RAID array on that controller. Where there are twoseparate controllers, isolate each RAID setup completely from any optical drives, no matter how many plugs may remain unused in theRAID array.


24_180433 ch17.qxp 2/25/08 7:51 PM Page 328

6. Cable the power supply to the drive.

After establishing all other steps, connect the power to the drive.

7. Make sure the drive tray opens and closes properly.

Ensure proper fit, especially in a case with front panel doors or built-inmedia tray covers. Sometimes, you may have to slide the drive forwardor back a little (or a lot) so that the switch on the front of the caseengages properly with the switch on the front of the drive.

Setting up hardwareWhen you have all your hardware seated, cabled, and primed for action, youcan begin your crucial first real boot-up. Of course, this means you musthook up a monitor and a keyboard as well so that you can provide input andview output from your server. Assuming you’ve plugged in every cable andincluded every component you need, your system should at least show youthe initial Power-On Self-Test (POST) warm-up phase — like calisthenics for computers.

If nothing happens at all, you should check the power supply and its variousconnections. A little activity and then nothing usually spells some sort ofcomponent incompatibility or a faulty power source (among other possiblecauses). If you hear beep codes, please note that they provide audible indications for various operational issues — memory isn’t seated correctly,the CPU is missing or can’t be detected, or a USB drive is plugged in and justisn’t wanted.

Barring any such complications, you’ll be presented with a startup screen.This may flash instantly before your eyes, but hopefully you get a chance to see whatever key sequence is necessary to trigger the motherboard’s BIOS setup. From here, you must make all necessary server-specific changesto settings that require them — such as any ECC memory settings, CPU identifiers, and the initial boot order. This is important for the next step,where you finally install Windows Server 2008.

Installing the OSWe provide detailed instructions about the installation process, with a qualifying explanation of the entire procedure, in Chapter 5. There are manyways you can install Windows Server 2008 (or upgrade from an eligible software platform). We can’t reasonably cover them all here (or in Chapter 5,


24_180433 ch17.qxp 2/25/08 7:51 PM Page 329

either). Here’s a synopsis for the straightforward process described morethoroughly in Chapter 5: We inserted the DVD, ran the install process, andgot Windows Server 2008 up and running without encountering anything outof the ordinary. It found our drives, both optical and hard disks, without difficulty, and we were able to load drivers for key motherboard componentswithout problem in the final, post-install configuration and networking phase.We can only hope your installation goes as well as ours did.

If your server will include an earlier version of Windows alongside WindowsServer 2008, install that software first. This permits the new Windows Server2008 boot manager to identify and offer that installation as a boot option as well.

After you complete the Initial Configuration Tasks setup (Chapter 6), spendsome time getting to learn the Server Manager interface and all its functional-ity. You’ll be spending a considerable amount of your administrative time on the server managing, monitoring, and modifying attributes through thisinterface. Don’t be afraid to try new installation methods, either. You’ll eventually want to perform a remote network install, an unintended install, or perhaps both. Try everything at least once!

Ready to Rock-and-Roll?We’ve walked you through the process of installing server hardware and software necessary for your first build, which we anticipate went smoothly.You must now customize and configure this server for your network and allyour users by including the accounts, features, and functions they’ll need.

Now that you have your server hardware assembled and operating under the guidance of Windows Server 2008, you’re ready to start adding users, network roles, and server responsibilities. Prepare to function as a newly-fledged server administrator!


24_180433 ch17.qxp 2/25/08 7:51 PM Page 330

Chapter 18

Taking Care of Your Own IssuesIn This Chapter� Introduction to the troubleshooting methodology

� Defining your troubleshooting methodology

� Diagnosing setup failures

� Dispatching startup issues

� Run-ins with run-time errors

� Monitoring server operations

� Tweaking Windows Server 2008 for performance

Any proper troubleshooting process begins with a basic format or formalstructure. Generally, from a technician’s perspective, we envision a

pyramid of prioritized checkpoints that we run through when investigating aproblematic piece of hardware or software. This methodology remainsroughly the same no matter how we apply it, even if the conditions and vari-ables change considerably within the context of exercising that methodology.

When you troubleshoot a car engine problem, you don’t normally check tirepressure or trunk contents. In the context of an engine bay issue, that justdoesn’t make any sense. Instead, you probably check engine fluid levels, bat-tery terminals, spark plugs and distributor caps, serpentine belts, and vari-ous other interconnections. These things make perfect sense in the contextof troubleshooting an engine problem. Now suppose you had some sort oftire traction or roadway handling problem, would you first check the enginebay? We don’t think so.

Likewise, you need a proper format to approach server-related issues orproblems. Even if you don’t fully understand the nature of the problem, youneed a working structure to begin analyzing and identifying a probable cause.If your server experiences some form of connectivity issue, the first thing werecommend checking is the cabling — it will fail on you more often thanyou’d like to think possible. The same applies to hard drive cables as well asnetwork interface cables. Sometimes this is the only source of a seeminglycritical error that, if overlooked, will confuse and baffle you into submission.

25_180433 ch18.qxp 2/25/08 7:52 PM Page 331

Equally important is your thoroughness and adherence to a formal diagnosticmethodology or troubleshooting format — that is, never overlook any step,no matter how seemingly benign or unimportant it may appear to be. Suchcasual assumptions really can get the best of you, and we don’t want to seeyou wipe egg off your face simply because you made an easily avoidable bututterly unwarranted assumption.

Troubleshooting Common Windows Server 2008 Problems

In the following sections, we sketch an informal methodology for approach-ing several troublesome Windows Server 2008 problems. We feel that givingyou a more flexible framework or a set of universally-applicable procedures ismore beneficial than citing a few narrow, specific examples.

Setup failuresInstallation or setup failures are a common occurrence, but they won’t normally recur with appreciable frequency. Unattended installations may becrippled by an incorrect parameter or incompatible setting, the network maybecome inaccessible during a remote install, or user error may cause failureduring a manual installation procedure.

Generally, begin troubleshooting such an issue by checking theSetupact.log and Setuperr.log files, which will be located in one of twoplaces according to when the installation failed: If setup only has sufficienttime to copy files, these files are located in $WINDOWS.~BT\Sources\Panther; otherwise, if setup halted in the midst of expanding or implement-ing software, try Windows\Panther on the partition that contains theWindows Server 2008 installation.

Unavailable partitionA partition may become inaccessible to the installer for a number of reasons.Some of the known reasons are described in the following list:

� Insufficient storage space: An inadequate partition requires resizing(just click Extend) or another partition deleted to clear sufficient space.

� Insufficient free space: Again, adequate space must be cleared by deletion of unnecessary files and perhaps reclamation and reallocationof other partitions.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 332

� Invalid volume format: If the designated partition is prepared as a non-NTFS format, Setup will invalidate its use as an installation target.Reformat as NTFS.

� Invalid volume type: If the target partition is neither a basic disk nor asimple dynamic volume, Setup will deem it ineligible as an installationmedium. Create or select an appropriate volume type from your avail-able storage media.

� Initialized raw disks: Your server may contain a single uninitialized rawdisk; two or more require partitioning, which requires running Setuptwice. Either partition and initialize disks prior to use, or (as with newbuilds) just endure the inevitable double-reboot setup process.

� Invalid BIOS settings: Disk and optical drives may be disabled or notflagged as bootable media in the BIOS. Reboot and trigger the BIOSsetup menu, then flag the appropriate bootable disk volume.

You may encounter issues that aren’t described here, but those are exceptional cases.

Restart failureOccasionally, Windows Setup will fail to rediscover its installation source (forexample, disk or optical drive). Often, this requires you to load a driver sothat it can be identified after Windows Setup readies for first boot, much likewhat occurred with early Windows XP installations and SATA disk or opticaldrives.

Follow these steps to prepare Windows Setup with the appropriate drivers:

1. Save the driver to an appropriate storage medium (such as a USBdrive, CD or DVD, and so on).

2. Start the Windows Server installation DVD to invoke Windows Setup.

3. Under Disk Selection, click Load Driver and follow the onscreeninstructions.

If the system fails to start following this driver inclusion, it may not havebeen digitally signed. Where possible, try using only digitally-signed device drivers.

Startup failuresWindows Server 2008 may fail to start up for a number of reasons, withsystem failure occurring in a number of areas. Some startup errors are dulynoted: Incompatible or incorrectly installed hardware might elicit a series ofdiagnostic BIOS beep codes, or state that it can’t find a working boot volume.Other errors aren’t so obvious, such as those that crash Windows as it

333Chapter 18: Taking Care of Your Own Issues

25_180433 ch18.qxp 2/25/08 7:52 PM Page 333

attempts to bootstrap itself, which triggers an instant reboot, which repeatsthe process all over again.

Common causes of startup failure are ranked below in descending order oflikelihood:

� Hardware failure

� Driver failure

� Corrupt file or volume

� Misconfigured setting

� Malware or viral infection

We explore these top-level topics in better detail throughout the followingparagraphs.

Hardware failureA server system can fail to initialize and start up due to hardware failures of all kinds (for example, a bad or disconnected plug or electrical damage).We’ve personally experienced such grief with developmental or experimentalquality driver controllers that systematically and independently ruined driveafter drive until we recognized them as the true source.

Chipset issues are probably the most difficult to diagnose without some specialized skills and toolsets. Some drive failures are self-evident (the soundof galloping coconuts suggests the drive arm is contacting the platters), andothers are easily resolved, although just as easily overlooked (unseated ordefective drive cable). For the most part, you can use most of your senses(including common sense) to diagnose many hardware issues.

Driver failureDriver and system data updates can also be a source of run-time woes. Again,drawing on our recent experiences, we’ve seen seemingly benign processesresult in total disaster, often repeatedly on the same or separate machinesdespite our best efforts.

Windows Update has occasionally triggered some series of unfortunateevents that conspire to ruin mission-critical data and files, which fortunatelyaffected only a few Windows XP installations — so far, no such bad luck withWindows Server products! The point is, it happens, and even we wouldn’tbelieve it possible had we not directly experienced it ourselves.

Corrupt file or volumeCorrupted files and volumes are common and usually easily corrected.Windows Server 2008 has modified the entire boot infrastructure so that it nolonger resembles its predecessors (except Windows Vista), but we’re willing


25_180433 ch18.qxp 2/25/08 7:52 PM Page 334

to wager any boot-time issues will be relatively similar. Granted, each solu-tion will be entirely different.

Corruption happens any number of ways: A drive controller goes bad, a drivecable gets disconnected, a drive volume is unexpectedly taken offline whenupdating data, and so forth. You could be creating a backup image onto anexternal USB drive plugged into your Windows Server 2008 server whenanother administrator, unaware of your workload, unplugs it for use else-where. Experimental drive utilities could potentially make an incorrect writeor overwrite to an incorrect place and make an entire volume unreadable.

Misconfigured settingsMisconfigured settings can occur anywhere, often in places you can’t predictor expect and manifesting in ways you may not anticipate. Even a simpleGroup Policy setting can be overridden in some indirect manner that leavesyou baffled as to why your Local Policy settings just aren’t taking effect.

Important registry settings or other startup and run-time parameters may bealtered in some manner that brings about chaos and disorder, which canhappen with an installed or improperly installed application, an unassumingalthough disastrous configuration change, or some other unintentional andapparently innocuous act.

Malware or viral infectionOn the malignant side of change lies malware and viral infection. Theseautomata of anarchy seek to ruin stability and security stance for individualcomputers and entire organizations alike. They usually aren’t coded with thebest intentions or by the best programmers fully capable of what they’redoing, and every so often you encounter one such beast that undeniably andperhaps irreparably damages something sacred.

Our intent isn’t to leave you grief-stricken by all that can possibly go wrong;we just want to foster a healthy situational awareness about your server envi-ronment and its operating conditions. Lots of little things can go wrong,plenty of them can be fixed, and few are really worth losing sleep over.

Diagnosing startup errorsHere are the five senses you may use to diagnose a given problem:

� Sense of smell

� Sense of sound

� Sense of sight

� Sense of feel

� Common sense


25_180433 ch18.qxp 2/25/08 7:52 PM Page 335

We appropriately omit the sense of taste because you really shouldn’t befound tasting your hardware components. It’s just not right.

Sense of smellYour sense of smell can alert you to an electrical or thermal issue. The smellof hot and burning hardware gives off a powerful smell that is very distinct,much like cooking in the kitchen. When you’ve been around hot hardware situated in poorly ventilated or inadequately conditioned environments,you’ll know the kind of odor we’re talking about.

Sense of soundAfter you’ve become acclimated to the operational quirks and characteristicproperties of your server hardware, it becomes like your daily commute. Younotice when your car sounds a little out of tune, or emits a sound you haven’theard before. Sensing that something is wrong becomes second nature to you;the very server you operate is sufficiently familiar that you’re fully aware ofits baseline behavior and condition.

Sense of sightSometimes you have to crack open the case to investigate what’s going oninside. How do things look? Is there sufficient dust buildup to impede airflow?Are any components showing visible signs of wear or tear? Simple observa-tion can reveal many clues about what probably or potentially causes problems.

Sense of feelOccasionally, you’ll have to place your hand near or on hardware to see howit feels. Do you feel any excess heat or vibration? Any residues or particlesthat don’t belong? Hot and humid operating environments can create unfa-vorable conditions inside a server case. Servers like to stay cool, much as wedo, and appreciate around the same climate and temperature that keeps ushumans comfortable, too.

Common senseWe say common sense, but these things really aren’t that common until youexperience them routinely and repeatedly. It’s uncommon to instantly knowall the particularities and oddities about the mechanical operation of yourserver prior to its construction. You can’t know if “that clicking noise” is actu-ally an acceptable byproduct or something to investigate. Common sense is askill honed with experience. Just pay attention to the fundamental aspects ofyour server hardware so you can grow to understand what it does, and howto identify and mend what breaks before or as it happens.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 336

Run-time issuesAfter you get past all the setup and first-boot issues, there still remains a vastexpanse of unforeseeable complications that may arise before you reach thedesktop and after you log in. There are higher-level application or systemconfiguration settings that manifest problems only in the user domain orwhen administering server operations.

We can’t possibly conceive of every potential avenue of attack, but we docover considerable ground in the first few subjects because they specificallyconcern Windows Server 2008 and not third-party or additional applicationsinstalled afterward.

User Account ControlWindows Server 2008 defaults to running applications as a standard user,even if you’re currently logged in with an administrative group account.Users who attempt to launch applications marked with administrative prop-erties will be asked to confirm their intentions, and only applications operat-ing under administrative credentials may affect system-wide and globalsettings. All this is handled in User Account Control, or UAC.

Custom or in-house installers/uninstallers and software update programs maynot be properly detected or permitted to run with administrative credentials.Standard user applications may fail to perform their tasks or be inaccessible,particularly if marked to require administrative privilege. Applications withinsufficient credentials may run incorrectly or not at all, which can be manifested in any number of ways.

We highly recommend familiarizing yourself with the UAC’s format and struc-ture, learn how it does and does not function, and so forth. Teach applicableusers to launch their privileged programs with the right-click context menufeature to run applications as administrator. Observe file and directory per-missions and group memberships and reduce any restrictive Access ControlLists (ACLs) that prove prohibitive. Custom applications should be written to operate in a least-privileged environment scenario, require the lowest


Troubleshooting problems while in safe modeSafe mode is a troubleshooting option forWindows that starts your computer with onlybasic services and functionality. If an existingproblem doesn’t reappear when you startWindows in safe mode, you can eliminate thedefault settings and basic device drivers as possible causes.

Should your computer automatically restart insafe mode, use the process of elimination to iso-late the source. Individually start all commonly-used applications, including those contained in the system Startup folder, to identify the probable cause.

25_180433 ch18.qxp 2/25/08 7:52 PM Page 337

workable level of user credentials, and present the smallest window of exposure when operating under administrator rights.

Group Policy infrastructureThe Group Policy infrastructure delivers and enforces preferential configura-tion settings and organizational policy settings for a given set of targeted users and computers within the scope of an Active Domain unit. It comprises a Group Policy engine and multiple client-side extensions, responsible for reading and applying these settings for individually targeted client computers.

That level of complexity and interdependency can make troubleshooting GroupPolicy problems downright vexing. Thus we can only hope that Microsoft will update its Group Policy Diagnostic Best Practice Analyzer (GPDBPA),which currently works for Windows XP and Windows Server 2003, to do like-wise for Windows Vista and Windows Server 2008. It’s an extremely helpful tool designed to “help you identify Group Policy configuration errors or otherdependency failures that may prevent settings or features from functioning asexpected.” (Microsoft’s own wording is so appropriate, we just had to quote it here.) You can find this tool by visiting the Microsoft Download center athttp://support.microsoft.com/kb/940122. Hopefully, by the time youread this, a similar tool for Vista and Windows Server 2008 will be available!

Printing infrastructureThe printing infrastructure for any Windows Server 2008 print server is orga-nized into a hierarchy of managed entities that collectively permit local andremote users to utilize and manage printers and all print-related activities.This defining structure is shown in Figure 18-1, with each relevant aspectsummarized in Table 18-1.

PrintingInfrastructure

Print Server

Print Queue

Print Spooler

Cluster

Driver

Ports

Print Tools

Figure 18-1:Hierarchy of

ManagedEntities:

Print Infra-structure.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 338

Table 18-1 Printing InfrastructureEntity Description

Print server A computer attached to a print device that is accessible toother users locally logged on and remotely connected throughthe shared printers folder.

Print queue The task list representation of a print device.

Spooler device The governing server process, also called a print spooler, thatmanages all print jobs and print queues for any given server.

Cluster A high-availability system distributed among two or more com-puters that share a given print queue workload in the event thatone of the computers fails or becomes inaccessible.

Driver The basic software instructions that make computer controlpossible over hardware devices.

Port An input or interface type that enables communicationbetween computer and device; typically a parallel, USB, orTCP/IP connection.

Print tools All local and remotely-situated applications that are responsi-ble for print queue management or printer-related tasks.

Physical printer The actual device that processes information and producesdocumentation.

When you begin troubleshooting this hierarchy, start by eliminating all themost obvious and simple causes first. Check for paper feed or supply issues,cable connections, power and activity light illumination, and so on. Next,work your way to the computer, analyzing software settings and relevant con-figuration settings for remote connections, including networking properties.How you individually process these elements is entirely up to you; all we suggest is a regular, thorough sequence upon which to base your work.

Windows ActivationAfter installing Windows Server 2008 in evaluation mode, should you attemptto restart the computer in Diagnostic mode beyond its expiration you won’tbe able to log in. You’ll receive a message that the activation period hasexpired. Try the following two solutions in this order:

1. Start msconfig.exe.

2. Under the General tab, select Diagnostic Startup.

3. Under the Services tab, choose Plug and Play.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 339

4. Click OK and then click Restart.

This lets you to restart the computer in Diagnostic mode by configuring thePlug and Play service. Otherwise, you may recover from this issue by settingthe computer to start normally. Follow these instructions:

1. In the Windows Activation dialog box, select Access Your Computerwith Reduced Functionality.

The Internet Explorer window appears.

2. In Internet Explorer 7’s address bar, type %windir%\system32\msconfig.exe and press Enter.

The MSConfig configuration utility appears.

3. Click General and select Normal Startup.

4. Click OK and then click Restart.

Hardware upgrades and software updatesYou may encounter run-time errors long after installation, perhaps after intro-ducing a new piece of hardware or upgrading an old one. If after installing anew device, your Windows Server 2008 install or the device itself fails towork, run through the following checklist:

� Ensure hardware device compatibility with both your server computerand Windows Server 2008.

� Install any necessary device drivers from their respective install media.

� Reboot the server to reinitialize or retry the driver.

� Reconnect any present USB devices to alternative ports.

� Check for update drivers through Windows Update.

Apart from checking Windows Update, always check the manufacturer’s Website for any updated driver versions, particularly those that might resolve theissues you experience. If installing a new driver is the source for instability orincompatibility, you can also restore a driver to its previous — presumablyknown-good — version (Device Manager➪Driver Category➪Driver➪Roll BackDriver). You must be logged in as administrator when performing mostdriver-related tasks.

If you suspect Windows Update had something to do with your latest issue,or if you want to eliminate it as a possible cause, you may also removeupdates. (Choose Control Panel➪Programs➪Installed Updates➪UpdateEntry➪Remove.) Generally, this isn’t recommended because many updatesaddress or enhance server security. Start by opening Windows Update andclicking View Update History to see a list of applied updates.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 340

If you’re prohibited from removing an update when connected to a network,there may be a Global Policy curtailing your activity, or it could be a security-specific update that can’t be retracted. A network-wide Global Policy andWindows Automatic Update may automatically reinstall updates when yourestart Windows Server 2008, so be prepared to handle such cases wherenecessary.

Last, always check Device Manager (click Start and type device managerinto the search field) when you suspect a hardware and/or driver issue. Anentry indicated by an exclamation point icon signifies a driver issue: Eitheran inappropriate or approximate match has been substituted in lieu of aproper or more recent driver. These devices may work in some cases yet failin others; the only real remedy is to find, install, and use the right driver.Device Manager is always your looking glass into the hardware and driversubsystem.

Monitoring Server OperationsPut Server Manager high on your priorities list when it comes to gatheringinitial intelligence on the issue at hand. Server Manager consolidates severalsubsets of system management functionality that were otherwise spreadamong many independent and diverse applets. Along with some preexistingcapability come new or newly-revised components that further facilitatesystem management tasks.

In many cases, Server Manager is the oracle into your server, a windowthrough which you can peer and observe its innermost workings. OpenServer Manager and expand your domain name to reveal a tree of entrieswhere you’ll find an appropriately-named Diagnostics subsection. In this sub-section, you’ll encounter three categories: Event Viewer, Reliability andPerformance, and Device Manager.

We recommend that you check applications and services logs, particularlyany warnings or errors topics that are relevant to the problem you’re cur-rently investigating. Sometimes the most minute details will escape observa-tion, only later found to be the culprit. As a matter of principle, you should atleast eliminate any question that the cause left an electronic paper trailthrough the system’s highly active logging and filing facilities, before digginginto detailed research and diagnostics.

Event ViewerWindows Server products have long included the Event Viewer application,which has remained relatively unchanged since its debut in Windows NT.Microsoft has redesigned this applet to supply a more aggregated view of


25_180433 ch18.qxp 2/25/08 7:52 PM Page 341

system-wide events that previously appeared only in individual event logs.Each of the initial primary categories remains the same (Application, System,and Security logs), but Event Viewer (shown in Figure 18-2) now provides aconsolidated perspective on the overall health of your server.

You may observe errors, warnings, and informational and successful audit details as they’ve occurred in the last hour and last 24 hours to gaugerecent activity. Expand each container for in-depth coverage of each event.Underneath the Event Viewer category branch lurks a Windows Logs con-tainer, a storehouse for event logs that appear in their old, familiar format.

Custom ViewsWindows Server 2008 presents large amounts of data at your request. AllWindows applications, components, and security parameters may be repre-sented, so Event Viewer provides you with filters necessary for deep inspec-tion. You may find that default methods for presenting such data doesn’t suityour needs or preferences, which is what motivates the Custom Views dialog.

This container is designed to permit dynamic content filtering based onsimple rules that you specify to Event Viewer for information display. Open amenu to select the Create Custom View dialog box by right-clicking theCustom Views container. Here, you can specify filters based on time period,event level (critical, error, warning, information, and verbose), event log,event source, include/exclude event IDs, task category, keywords, user, andcomputer entries.

Figure 18-2:The Event

Viewer.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 342

Windows LogsTwo additional categories (Setup and Forwarded Events logs) are includedwith the standard entries (Application, Security, and System logs). Setup logscontain information relevant to any system configuration changes, but theinformation isn’t always detailed or descriptive. Only a simple statement tothe effect of a role being installed or uninstalled will appear. ForwardedEvents logs contain entries based on subscriptions to remote system eventlog services, which are filtered against some criteria and sent here.

Applications and Services LogsApplication and Services logs are general events related specifically to theWindows operating system. Previously, you would browse the event logs for aparticular issue you wanted to troubleshoot; Windows Server 2008 nicely cate-gorizes and sorts events related to specific criteria (such as Active Directory).

When no events of interest appear in an event log, it’s reasonable to suspectthat logging has been disabled or log files have been cleared. Confirm thatlogging is indeed enabled (choose Log➪Properties➪Enable Logging) and —barring that — determine if logs have been cleared by searching the Systemlog for event ID 104 — the value generated whenever a log is cleared. Analyticand debug logs aren’t visible by default and must be specifically enabled forviewing. (Choose Event Viewer➪View➪Show Analytic and Debug Logs.)

Reliability and PerformanceWindows Server 2008 also consolidates Performance Monitor and other such relevant run-time information into a single applet, also made accessiblethrough the Server Manager interface. If you’ve spent any amount of timewith Windows platforms, you may already be familiar with its PerformanceMonitor tool — we use it as a barometer for the general well-being of ourworkstations and servers.

Monitoring ToolsExpand this container category to view the resource utilization overview,which has that familiar line-graph illustration and real-time update activityyou’re already accustomed to seeing. CPU, RAM, disk, and network activityare summarized in frequency of activity and a graph illustrating peaks andvalleys of activity throughout the observational time frame.

Each of these sub-elements in the performance dialog box can be furtherexpanded to reveal more detailed information about operational parameters.Underneath the CPU section, for example, there appears a list of activeprocesses and CPU time dedicated to each individual process, all of whichmakes up the utilization trends charted therein.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 343

Performance MonitorApart from its integration into Server Manager, Performance Monitor appearssimilar in form and function since Windows Server 2003. This diagnostic utility facilitates troubleshooting hardware issues, primarily processor uti-lization. The line graph charts CPU activity history as a running track record,with spikes indicating surges in activity for the noted time period. A high per-centage of processor utilization is indicative of overload and a potential bottleneck.

Performance monitoring consists of performance counters, performance logsand alerts, and the System Monitor. Counters provide utilization informationregarding how well the platform or its applications, drivers, and services are performing. This helps you to identify bottlenecks and better fine-tuneapplication performance through graphical charts and timeline indicators.

Performance logs and alerts generate alert notifications based on thesecounter thresholds. As an API, it can be used programmatically to query performance data, create event trace sessions, capture a configuration, andtrack API calls throughout some of the Win32 dynamic libraries. SystemMonitor is an API that enables you to view real-time data and track recordperformance counter data related to the CPU, RAM, and all of your diskdrives.

Reliability MonitorWindows Server 2008 is really good at keeping track of records for its dailyoperations and activities. It dutifully logs, dates, and sorts its entries andapplies your specially-defined filtering rules so that information is presentedin a manner you see fit. We’ve grow familiar with its form and become expectant of its function.

What happens when you work remotely or on a foreign system? Problem his-tory and server history are usually two key issues that are addressed withinthe opening of a trouble-ticket field dispatch or on-site servicing procedure.You can’t possibly know what that system’s performance has been over anylength of time, but the Reliability Monitor (shown in Figure 18-3) absolutelydoes know. This is an index into the running track record for system stabilityto include keeping tabs on software installs/uninstalls, application failures,hardware failures, windows failures, and a catch-all miscellaneous failurescategory.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 344

Steep drops, which level out again quickly, accompany installation of a newapplication. Any noteworthy event is detailed on the day of failure, anddouble-clicking a specific entry provides more detailed information aboutthe event.

Data Collector Sets and ReportsData collector sets are the cornerstones of performance monitoring andreporting within the new Windows Server 2008 Reliability and PerformanceMonitor. Data points are collected and organized into a single component tofacilitate performance tracking and periodic review. Collector sets can beindividually created and recorded or grouped with other collector sets andconfigured to generate alerts at specified thresholds. Sets contain perfor-mance counters, event trace data, and system configuration information.

You can create a collector set from existing templates or predefined collectorsets, or through individual configuration. These sets enable you to better uti-lize the Windows Reliability and Performance Monitor to track overall systemhealth and progress in a completely customizable way.

Figure 18-3:The

ReliabilityMonitor.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 345

Device ManagerUnderneath Reliability and Performance resides the Device Manager; click itslabel to produce the details pane for system-wide device properties. This isanother holdover from Windows Server products past. This application isresponsible for inventorying and reporting low-level hardware presence andfacilitates troubleshooting problematic devices or drivers.

The Device Manager maintains a catalog of devices installed on the system sothat you can identify any and all components. Use the Device Manager as awindow into your system whenever a device is improperly functioning or notidentified. Defective drivers are indicated by an exclamation point icon to sig-nify where you should begin diagnosing issues. You can also centrallymanage all drivers, versions, and updates.

Tweaking Windows Server 2008 for Efficiency

During the setup and install process, many additional components, packages,and language features are often included unnecessarily into your serverbuild. When you discover a need to reclaim precious native storage spaceand begin a process of elimination for all but the more critical parts, start bycleaning out any leftover installation material. This includes any MicrosoftOffice suite products as well — they tend to generate a lot of supportiveinstall-time files that tend to get left behind unless manually specified forremoval when installation completes.

Managed entitiesThe hierarchy of managed entities is pictured in Figure 18-4. Each element isdescribed briefly in Table 18-2.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 346

Table 18-2 Managed EntitiesEntity Description

Optional Component OCSetup.exe is a command line tool that and Package Setup installs, updates, and uninstalls optional

Windows components. We recommend using it for bare-bones Server Core installations; full-blown installs should use Server Manager.

Package Manager This is the underlying tool that OCSetup.exeuses to install Windows components and par-ticularly facilitates unintended installations anddisabling options in an offline Windows image.

Component-Based Servicing This is part of the servicing stack (files andresources required to service a Windowsimage or live OS) that provides APIs to clientinstallers such as Windows Update or Windows Installer.

(continued)

SetupInfrastructure

OptionalComponent andPackage Setup

LanguagePack Installation

Language PackSetup

LanguagePack Cleanup

PackageManager

Component-Based Servicing

Figure 18-4:Hierarchy of

ManagedEntities.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 347

Table 18-2 (continued)Entity Description

Language Pack Installation Supplemental language support files makedialog boxes, menus, wizards, and built-in helptopics accessible to non-native speakers.

Language Pack Setup Lpksetup.exe installs and removes multilin-gual user interface (MUI) language packs andlanguage interface packs (LIPs).

Language Pack Cleanup This is an automatically-scheduled, run-onceapplication that operates in silent mode on thefirst boot after installation completes, and thenremoves any unused language pack files.

Run-time optimizationWindows Server 2008 does a fair job of minimizing unnecessary componentsbundled with the default install. This confers several immediate advantages:It shortens the install phase, creates a more flexible minimal foundation uponwhich to build your specific features, and gives you greater control oversetup aspects. Typically, there isn’t a whole lot to the default install that youneed to strip away to streamline your server.

Over time, or through a timeline of developmental periods or experimentalphases, you may experience sluggish system performance owing to an abun-dance of unnecessary or resource-intensive system processes and components.We like to maintain a conservative profile and remove parts that aren’t vital tosystem or business functions. In the sections that follow, we cite a few suchexamples to inspire your own excursions into the realm of server optimization.

Turn off Indexing ServiceWindows Indexing Service generates search content properties for all filestargeting local and network-attached storage volumes to optimize return-timefor results. This service runs continuously and can potentially slow the PC’sperformance, particularly on servers with revolving data storage and continuous cyclic indexing.

If you don’t need fast file searches, turn off Indexing Service by followingthese steps:

1. Open Computer.

2. Select the target volume, right-click, and choose Properties.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 348

3. Deselect the Allow Indexing Service to Index This Disk check box.

4. Click OK.

Disable unnecessary servicesServices run continuously in the background and even consume resources intheir idle states awaiting some event or receipt of data. Not all that is loadedis needed, which is particularly why Microsoft wisely chose to componentizeand modularize Windows Server 2008 into a Server Core build option.

Over time, you may find your system consumed by many services ravagingmany shared resources, only to realize that some of those processes are nolonger necessary. Either they’ve fallen into disuse, never found utilization, orsince been replaced by the next best thing. Either way, you neither want norneed them there, so you should remove them.

To view startup services and statuses, open Start and type services.msc inthe Start Search bar. Left-click a service entry to view its description andbecome informed of what other dependent functionality will be affected byits removal from operation.

To disable a service, follow these steps:

1. Right-click the service and choose Properties.

2. Change its startup type to Manual.

3. Click Stop to halt the service.

Schedule Disk DefragmenterIf not already set, schedule disk defragmentation at regular intervals that correspond to local usage. Disk defragmentation realigns file segments tooptimize their arrangement on disk so that they may be read and written to most efficiently. This ensures optimal disk performance, especially fordrives that process large numbers of files of various sizes.

Making the Most of Your ServerAs you build your own body of experience in working with Windows Server2008, you’ll become more confident in using its tools and in tweaking, opti-mizing, and adjusting it to better fit your business needs. In the meantime, wehope these troubleshooting tips — and the rest of this book, in fact — willhelp you cultivate the skills and knowledge that you’ll employ to keep thingsup and running.


25_180433 ch18.qxp 2/25/08 7:52 PM Page 349


25_180433 ch18.qxp 2/25/08 7:52 PM Page 350

Part VThe Part of Tens

26_180433 pp05.qxp 2/25/08 7:52 PM Page 351

In this part . . .

When Moses came down from the mountain, howmany commandments did he carry? Ten. How

many fingers do most people have? Ten. On a scale of oneto ten, what’s a perfect score? Ten. We aren’t entirely surethat all these things are necessarily connected, but thatnumber shows up everywhere, even on the Late Show withDavid Letterman. Perhaps that’s why The Part of Tens is akey ingredient in this and all other For Dummies books.Then again, it could just be a coincidence. . . .

Each chapter in this part includes a list of tips, tricks, tech-niques, reminders, and resources for inspired informationabout your Windows Server 2008 system and its network.We’d like to claim the same source of inspiration thatMoses had for his commandments, but our Part of Tenscomes only from the “School of Hard Knocks” next door.

These chapters are constructed to save you time, steeryou around common networking potholes, and get yousafely past common sources of chaos and confusion. Thebest part of tens, however, is one that doesn’t appeardirectly in this part of the book — that’s the part whereyou hold your breath and count to ten as you begin to loseyour cool. If you try that part first, the other Part of Tenswill do you a lot more good!

26_180433 pp05.qxp 2/25/08 7:52 PM Page 352

Chapter 19

Ten Tips for Installation and Configuration

In This Chapter� Exceeding minimum requirements gives you peace of mind

� Using real server hardware really makes a difference

� Installing Windows Server 2008 across the network

� Automating Windows Server 2008 installation

� Troubleshooting installation problems

� Defaulting to VGA display mode

� Booting from the Last Known Good Configuration or the installation media

� Backing up may be hard, but it’s good to do!

� Planning a successful server installation

If you spend enough time working with Windows Server 2008, you undoubtedly will be required to install this software on multiple systems.

This job can be more “interesting” than it has to be — not to mention that itcan take more time than you want it to.

This chapter provides some fact-filled sources of information, some tried-and-true guidelines, and some great repair tools and techniques to help you successfully survive the Windows Server 2008 installation process.Knowing these tips and not needing them is better than not knowing butneeding them.

27_180433 ch19.qxp 2/25/08 7:52 PM Page 353

Exceed the Minimum RequirementsTable 19-1 offers a quick rundown of the minimum requirements to runWindows Server 2008 (and bonus realistic recommendations).

Table 19-1 Windows Server 2008 Minimum Requirements (Plus Realistic Recommendations)

Item Minimum Requirement Recommended

CPU 1 GHz 2 GHz

RAM 512MB 4GB

Disk space 10GB 1TB

Optical drive DVD-ROM DVD-ROM

NIC Integrated chip Add-in card or two (TOE is best)

Display Super VGA (800 x 600) Super VGA (800 x 600) orbetter

Pointing device MS Mouse or compatible MS Mouse or compatible

To configure a production server to conform to minimum requirements is a recipe for disaster. The performance (or lack thereof) you’d be able tosqueeze from such a machine would have a mob of users at your heels in no time at all.

When building a Windows Server 2008 computer, more of just about every-thing is better: This applies to more powerful (and more) CPUs, more RAM,and more powerful network interface cards (NICs). Servers do their jobs inquiet obscurity in most cases, so you don’t have to install a 512MB graphicscard, a fancy flat-panel monitor, or a top-dollar mouse or touchpad. You canopt to skip the DVD player on the Windows Server 2008 computer as long asyou can access the server across the network from another machine wherethe contents of the DVD-ROM have been copied to a hard drive.

If you install Windows Server 2008 on a machine that doesn’t include a NIC,you won’t be able to install or configure any of its network-related aspects.We’re convinced that there’s no point to installing a server that isn’t attached

354 Part V: The Part of Tens

27_180433 ch19.qxp 2/25/08 7:52 PM Page 354

to a network, so don’t install Windows Server 2008 on a machine unless it hasa NIC. (Even better, use a NIC connected to a real, live network, if not multipleNICs, preferably with a TCP/IP Offload Engine, or TOE, to help max out network performance.)

Use Only Qualified Server HardwareBefore you even think about installing Windows Server 2008 on a machine, be sure that the hardware you’re considering will make a good home for thatsoftware. Nevertheless, without a formal seal of approval or a guarantee from a vendor, how can you be sure that the software will work with yourhardware?

Fortunately, you can be sure by checking the Windows Server Catalog. This isa comprehensive list of hardware that’s been tested and certified to be com-patible with Windows Server 2008 (or other server versions). This catalog isavailable online at www.microsoft.com/whdc/hcl/default.mspx.

You can also use the installation utility to automatically check your hardwarefor you. However, to use the latest catalog available, the system must alsohave Internet access. There are two ways to test your system for catalogcompliance:

� Insert the DVD and let the auto-run mechanism start. (Or execute fromstartup.exe from the root of the DVD.) Click Check SystemCompatibility and then click Check My System Automatically.

� Execute the following from the command prompt or Run dialog box:

i386\win32 /checkupgradeonly

Both methods attempt to first download the latest hardware catalog and thentest your system’s hardware for compliance with the requirements ofWindows Server 2008. If any problems or incompatibilities are found, you seean onscreen report.

Many hardware vendors offer server machines with Windows Server 2008preinstalled. When you’re buying new servers, price one that includes theWindows Server 2008 operating system and one that doesn’t. You may bepleasantly surprised by the price breaks you can get when buying a preinstalled system.

355Chapter 19: Ten Tips for Installation and Configuration

27_180433 ch19.qxp 2/25/08 7:52 PM Page 355

Install from Your NetworkThe following may seem counterintuitive, but here it goes: Copying files froma hard drive elsewhere on a network is faster than copying files from a localDVD-ROM player (even a 36x or 40x player). Why? Because hard disks are asmuch as 40 times faster than DVD ROM drives.

Savvy network administrators create a set of directories on a network driveand install Windows Server 2008 across the network when they can. Thistactic is fast, easy, and requires only that you load a DVD once, no matterhow many times you install from it. In fact, network installation is whatmakes the next topic — automated installations — feasible.

Let the Software Do the Work:Automating Installation

Normally, user input drives the Windows Server 2008 installation program:from character-based prompts during the initial load phase and by user navigation of menus and input items during the later phases. As an alterna-tive, text files called answer files may drive Windows Server 2008 installation,making it possible to automate installation more or less completely. Script-driven installation can be especially handy when you must install more thantwo or three copies of Windows Server 2008 at any given time.

Windows Server 2008 supports more methods for automating installationthan previous implementations (such as Windows Server 2003 and NT 4.0),including the following:

� You can create a single variation or several variations of base installa-tion material and deploy them in enterprise-wide computers all at oncewith company-specific applications, configurations, and data.

� You can create a set of automated commands to complete the Setupprocess without requiring human intervention (at least, as long as noerrors are encountered).

� You can create a separate specialty recovery partition using theWindows Preinstallation Environment to create a Windows RecoveryEnvironment for on-the-go or self-service users.

� You can even automate the first logon after Windows Server 2008’s setupcompletes to install and configure selected applications, and then shutdown the system thereafter — all from the magic of answer files!


27_180433 ch19.qxp 2/25/08 7:52 PM Page 356

How do you get a piece of this magic? Well, you can dig into the WindowsServer 2008 Technical Library, available online at http://technet2.microsoft.com/windowsserver2008/en/library, and dig into the Server Manager entries available there. Or you can go straight to work with a utility called Server Manager command, also known as ServerManagerCmd.exe, which gets installed as part of the base Windows Server2008 installation.

The Windows Server 2008 ServerManagerCmd utility supports scripting and unattended deployment of Windows Server 2008 roles using XML-basedanswer files. Their structure and syntax is explained in the Server ManagerTechnical Overview Appendix (available through the Server Manager entry through the preceding Technical Library link), along with completedocumentation for the command line arguments available that determinehow the answer file will be interpreted.

Windows Server 2008 also includes two utilities that are somewhat Ghost-likein their capabilities. (Ghost is a popular system-imaging utility for Windowscomputers that allows administrators to set up a single installation, take asnapshot, and then customize that same snapshot to install one machine orseveral machines at the same time.) These two utilities follow:

� Sysprep: A utility designed to duplicate disk contents when installingmultiple, identically configured machines at the same time. First, youcreate a normal installation on a single machine, and then you install theapplications you want to distribute. Next, you use Sysprep to distributecopies of this configuration to other identical systems elsewhere on thenetwork. It doesn’t get much easier than this!

� Syspart: A utility designed to clone installations across multiplemachines where the hardware is dissimilar. It works as an extension ofthe unattended install facility with a default unattend.txt answer file.

You can also consult the Windows Server 2008 Resource Kit (published byMicrosoft Press) or the TechNet CD or Web site to find out all you can aboutthe various installation files before starting any big jobs. We also advise youto try a couple of trial runs using these tools before attempting to automatethe installation of one or more production servers.

You can access Microsoft TechNet content by using the search engine available online at http://technet.microsoft.com. Check the MicrosoftPress Web site at www.microsoft.com/learning/books/default.mspxfor availability of the Windows Server 2008 Resource Kit.


27_180433 ch19.qxp 2/25/08 7:52 PM Page 357

Beat Installation Weirdness: Be Persistent

Despite your best efforts, and even if you’ve taken all the proper precautions,the occasional Windows Server 2008 installation will fail. We’ve seen causesof failure that range from defective media to network congestion (trying tocopy files to too many machines at once) to boot sector viruses. (We hatewhen that happens!)

When an installation fails, take a deep breath, count to ten, and try any or allof the following corrections:

� Restart the installation: If you get past the initial parts of the charactermode portion of the installation, the software is often smart enough topick up where it left off and carry on from there. If you’re that lucky,count your blessings and then go out and buy a lottery ticket!

� If installation won’t pick up where it left off, look for a directorynamed $WIN_NT$.~LS: Delete this directory and its contents. TheWindows Server 2008 installation program looks for these directoriesand attempts to save time by picking up where it left off. We include theDOS DELTREE command in our emergency install disk tool kit because itlets us dispatch these directories and their contents quickly and easily.

� If all else fails, repartition and reformat the boot drive to remove allvestiges of your failed attempt: You’ll start over with a clean slate! Ouremergency install disk toolkit also includes a DOS Fdisk and a handy utility called Delpart.exe, which can remove even non-DOS partitions(such as NTFS) from a PC hard drive. Delpart.exe is available for freedownload from several Web sites. Search your favorite search engine forDelpart.exe.

If the final technique doesn’t work, recheck the Windows Server 2008Hardware Catalog for potential sources of difficulty. (See the “Use OnlyQualified Server Hardware” section earlier in this chapter for details on this catalog.) Otherwise, look for guidance on your problems on Microsoft’sTechNet CD or the Windows Server 2008–related newsgroups on thenews://msnews.microsoft.com news server.

Let Lo-Res Come to Your Rescue!You’ll find out that Windows Server 2008 doesn’t care a bit whether the display on your Windows Server 2008 machine is working. Windows Server2008 continues to chug along quite happily — even if you can’t see what the


27_180433 ch19.qxp 2/25/08 7:52 PM Page 358

system is doing because the screen is totally confusing or nothing is showingat all. The leading cause of display problems is loading a display driver thatdoesn’t work with your graphics adapter, or your monitor, or both!

When this problem happens (and it’s a common post-installation problem),don’t panic. Simply reboot the machine. (Press the Reset button on the com-puter case if you can’t read the screen at all.) When the boot menu shows up,press F8 to access the Advanced Options, and then select Enable Low-Resolution Video (640x480).

Doing so boots Windows Server 2008 with a plain-vanilla VGA driver. Then youcan try a different driver (or troubleshoot the hardware). This time, use thetest button to make sure the driver works before you change your display!

Use “Last Known Good” to Do Good!After installation is complete, you must continue to configure your WindowsServer 2008 to install additional software and add all types of informationabout system and user policies, account and group names, and so forth. Ifyou encounter trouble along the way, or Windows Server 2008 balks for somereason and won’t boot, you can always use the F8 technique described in theprevious section to view and select from its advanced boot options. Thistime, pick the entry that reads “Last Known Good Configuration.” Also knownas the LKGC, this uses the last working set of startup settings to restart themachine, and usually suffices to escape the malign effects of a bad driverinstallation or faulty configuration setting. After using this option, you’ll have to repeat everything you did since the last time you rebooted — andhopefully, fix whatever broke in the meantime — but at least you’ll be able to keep chugging along in forward motion.

A Custom Installation Saves Systems!The problem with Startup disks is that it takes six of them to boot olderWindows Server 2003 installations. Using disks also forces you through atime-consuming set of steps to get a machine running. Fortunately, creativeminds decided to develop a generic Windows Server 2008 and Windows Vista installation Windows Image Format (WIF) and a new disk-imaging toolcalled ImageX.

You can even install a preinstallation setup environment onto the target computer so that the DVD media needn’t even be accessible for self-serviceand repair in the field by the system end-user. The Windows RecoveryEnvironment (Windows RE) is an extensible recovery platform based on the


27_180433 ch19.qxp 2/25/08 7:52 PM Page 359

Windows Preinstallation Environment (PE), which is triggered any timeWindows fails to startup. A Startup Repair tool automates system diagnosisand repair for the unbootable installation and serves as a starting point formanual troubleshooting and recovery.

Newer server hardware configurations may exclude floppy drives in prefer-ence for the now prevalent CD and DVD drives. However, the theory of preventive maintenance and a bootable recovery medium remains much thesame. Server motherboards with compliant BIOS settings can even boot fromUSB drives and storage devices, which further increases your recoveryoptions in the event of failure.

Every time you make a change to Windows Server 2008, those changes arerecorded in the Windows Server 2008 Registry. Sometimes, those changescan have unforeseen side-effects — especially if you’ve been editing theRegistry directly — and can make your machine falter or even fail to boot.When your machine does falter or fails to boot, always try reverting to thelast working version of the Registry. When the boot menu shows up, press F8 to access Advanced Options, and then select Last Known GoodConfiguration. You roll back to the version of the Registry that was in use thelast time your machine booted successfully. The good news is that yourmachine will probably boot; the bad news is that you’ll lose all the changesyou’ve made since the last time you rebooted the machine. Bummer!

When you make lots of changes, either back up the Registry or reboot frequently. This keeps the amount of work you can lose — from an ill-advisedRegistry change, a bad driver selection, and so on — to a minimum. Restorepoints include Registry backups as part of what they capture, so they’re just as good as a Registry backup per se, only easier! Choose Start➪ControlPanel➪System➪System Protection, then click the System Restore button tocreate a restore point at any time.

Use the Windows Server 2008 DVD to Boot

The Windows Server 2008 DVD is bootable, which means that you can bootyour server from the DVD. You no longer need to mess with startup boot floppies. To boot your system from the DVD, make sure your server BIOSincludes the optical drive in its boot priority settings, preferably at or nearthe top of that list.

If your system won’t boot from the DVD, it needs to boot from something. Ifthat’s the case for your system, there are ways to work around this problem.Worst case, you can create a minimum boot image on a USB flash drive


27_180433 ch19.qxp 2/25/08 7:52 PM Page 360

and take that route, or do likewise with a USB-attached hard disk. MicrosoftTechNet provides a helpful article that explains just how to do that atwww.microsoft.com/technet/technetmag/issues/2006/10/WindowsPE/default.aspx.

Microsoft soars to new heights with its latest bootable DVD media, but youhave to experience this at work to appreciate the difference. For starters, the same installation DVD doubles as a diagnostic and troubleshooting diskthat can boot a dead installation, perform basic startup repair, or enable anadministrator to select from restore or backup options without booting intoWindows. What isn’t so obvious is the underlying Windows Image Format(WIF) that drives the entire installation — it’s essentially a template imagethat you can recreate and custom tailor to suit your personal or businessneeds. Whether deploying a single workstation and server or several workstations and servers, the new WIF framework lets you customizeWindows installations to meet your needs.

When in Doubt, Back Up!Windows Server 2008 is a reliable operating system, but accidents dohappen. Make sure you back up your Windows Server 2008 before you makeany significant changes to that machine. Significant changes include addingbeaucoups of new users or groups, making Active Directory changes, addingservices or applications, or doing anything else that significantly updates theRegistry. Then, if the server goes down after those changes are applied, youcan always restore the backup after booting from your startup disks andreactivating the backup software to get back to where you started. Don’tleave home without it!

Prepare for the Real Work!Although installing Windows Server 2008 by itself is no mean feat, the realwork begins when that job ends. Formulate and then translate your plans fordomain and directory structures, machine names, usernames, group names,and disk structures from concept to reality. This is the real work that makesWindows Server 2008 usable to your audience and able to deal with thedemands they’ll put on your system. And again: Remember to back up yoursystem on a regular basis!


27_180433 ch19.qxp 2/25/08 7:52 PM Page 361


27_180433 ch19.qxp 2/25/08 7:52 PM Page 362

Chapter 20

Ten Steps to Networking Nirvanawith Windows Server 2008

In This Chapter� Starting with the usual suspects

� Making routing work

� Curing IP indigestion

� Speeding up the network at the interface

� Conquering network congestion

� Investigating network services

� Resolving address issues

� Backing out changes

� Learning how to ask for help

� Preventing problems beats fixing them

Windows Server 2008 without a network is like a bicycle without wheelsor chips without salsa. (Our apologies in advance to the unicyclists

and fat-free members of our audience.)

Because Windows Server 2008 and networking go together like gangbusters,your gang (of users) may try to bust you whenever the network stops work-ing. Try as you might to avoid it, it will happen from time to time. When thenetwork goes on vacation but you’re still in the office, read over these tipsand tricks to get things shipshape again.

28_180433 ch20.qxp 2/25/08 7:52 PM Page 363

Never Overlook the ObviousThe number one cause for failed networks is — you guessed it — loose con-nections. Always check a server’s network interface cards (NICs) to make sure that cables are still plugged in or otherwise attached. Also, checkall hubs, routers, the Integrated Services Digital Network (ISDN) box, themodem, and anywhere else those cables go (including client machines).

Networking experts often talk about a troubleshooting pyramid that followsthe progression of network capabilities up from the hardware and cablesthrough the protocol stack to the applications that request network services.In this analogy, the base of the pyramid is far bigger than the top. This pyra-mid illustrates that problems are most likely to occur at the physical level ofnetworking. Why? Because that’s where the cables and connections are. Goahead — check them again.

Check Windows Server 2008 RoutingWindows Server 2008 happily lets you insert two or more network adaptersor other devices that can carry network traffic — such as modems, Fibre Channel interfaces, or even Channel Service Unit/Data Service Units(CSU/DSUs) for high-speed digital networking. Doubling up on networkadapters (or other network traffic handling devices) lets Windows Server2008 move traffic from one connection to another. This capability, known as routing, enables Windows Server 2008 to interconnect separate pieces of a network.

The most exposed and important part of many networks is the link that ties a local network to the Internet (or at least, to your local Internet ServiceProvider). If Windows Server 2008 fills that role on your network, be preparedto perform regular troubleshooting rituals to keep this all-important link tothe outside world running.

If you can, you should isolate this function on a separate computer or a net-work appliance designed for that role. This is a good idea for two reasons:

� Adding the burden of routing traffic and managing an Internet interfacerequires additional software and services that can tax (and possiblyoverburden) a Windows Server 2008 system.

� Limit the impact of system failure to as few services as possible.Chances are that your users will be less unhappy if they lose onlyInternet access or only access to shared files and applications, ratherthan losing both at the same time.


28_180433 ch20.qxp 2/25/08 7:52 PM Page 364

If you do use a Windows Server 2008 system as a router, especially if anInternet link is involved, think about installing or using firewall software, suchas Microsoft’s Windows Firewall and Network Access Protection (NAP), onthat machine. A firewall protects your network from interlopers and allowsyou to monitor and filter incoming (and outgoing) content and information,while NAP lets you quarantine remote users who don’t meet your securitypolicy requirements (current anti-virus software, OS patches, and so forth).

Open Your TCP/IP ToolkitIf you’re going to attach to the Internet (and who isn’t, these days?), you wantto build a TCP/IP toolkit to help with the inevitable troubleshooting choresinvolved in keeping a TCP/IP network working properly.

Fortunately, Windows Server 2008 includes a fine collection of TCP/IP toolsand utilities that you can use immediately. Table 20-1 includes some primecandidates for your IP troubleshooting toolbox. Given this arsenal of tools,you should be well prepared to shoot TCP/IP troubles before they shoot you!

Table 20-1 TCP/IP Diagnostic UtilitiesUtility Description

arp Displays the address translation tables used by the IP AddressResolution Protocol (ARP). Helps detect invalid entries andensure proper resolution of numeric IP addresses to MediaAccess Control (MAC) addresses.

hostname Displays your IP host name onscreen. Use this to check yourmachine’s current name.

ipconfig Displays all current network configuration values for all interfaces. Use this to check address assignments for yourmachine, the default gateway, and the subnet mask.

nbtstat Shows protocol statistics and active connections usingNetBIOS over TCP/IP. Use this to troubleshoot Microsoftnaming issues.

netstat Shows active TCP and User Datagram Protocol (UDP) connec-tions. Use this to check TCP/IP network connections and statistics.

nslookup Displays information about known DNS servers.

(continued)

365Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008

28_180433 ch20.qxp 2/25/08 7:52 PM Page 365

Table 20-1 (continued)Utility Description

ping Verifies basic connectivity to network computers. Type PINGloopback to check internal capabilities first, and then checklocal and remote machines to check overall connectivity.

route Displays network routing tables and enables you to edit entries;useful primarily when static routing is in effect.

tracert Determines the route from the sender to a destination by sending Internet Control Message Protocol (ICMP) echo pack-ets that cause all stations between sender and receiver toannounce themselves.

Use One or More Fast Server Network Adapters

On a Windows Server 2008 Server, performance is the name of the game. In networking, because network traffic tends to congregate at the server,spending extra bucks on a fast, powerful network adapter makes sense. At abare minimum, you want a Peripheral Component Interconnect (PCI)–basedNIC, if not a PCI-e x4 or x8 card or a PCI-X 133 MHz card. Other hardwareenhancements worth purchasing for Windows Server 2008 network adaptersinclude the following:

� TCP Offload Engine (TOE): Permits the network adapter to handle TCPpacket processing without requiring the CPU to get involved very much.This requires a network adapter that supports the Windows Server 2008TCP Chimney with a driver that can handle TCP offload functions, butsuch cards are widely available. (See Appendix A for details.)

� Direct Memory Access (DMA): Enables the network adapter to transferdata directly from its onboard memory to the computer’s memory without requiring the CPU to mediate.

� Shared adapter memory: Enables a network adapter’s onboard RAM to map into computer RAM. When the computer thinks it’s writing (orreading) to its own RAM, it’s writing (or reading) straight to (from) thecard. Shared system memory works the same way, except the card readsfrom and writes to the computer’s RAM instead of its own onboard RAM.Extra memory for network adapters is almost as good as more RAM onWindows Server 2008 PCs!


28_180433 ch20.qxp 2/25/08 7:52 PM Page 366

� Bus mastering: Lets the network adapter manage the computer’s bus to coordinate data transfers to and from the computer’s memory. Busmastering enables the CPU to concentrate on other activities and canimprove performance by 20 to 70 percent. This is the most worthwhileof all the enhancements mentioned here.

The idea is to put the processing power and speed where it does the mostgood: on the network adapter with which all users interact to obtain datafrom (or move packets through) a server. A high-speed backbone (GigabitEthernet or better) is also an extremely good idea for modern networks.

Know When to Divide and When to Conquer

When traffic reaches high levels on a network segment, traffic jams occur just like they do at rush hour on the highway. When this happens, you needto improve the existing roads (switch to a faster network technology) or addmore roads (break up the existing network and put one subset of users onone new piece, another subset on another piece, and so on).

How can you figure out when traffic is starting to choke your network? Easy!Windows Server 2008 includes a service called Network Monitor (affection-ately called NetMon) that you can install on your server to monitor the trafficmoving into and out of your server (and on the cable segment or segments towhich that server is attached).

NetMon doesn’t install on Windows Server 2008 by default, but it’s easy toadd. Choose Start➪Control Panel➪Add or Remove Programs➪Add/RemoveWindows Components➪Management and Monitoring Tools. Then click theDetails button, select the Network Monitor Tools check box, and click OK.After you follow the instructions from there, NetMon shows up in theAdministrative Tools folder (Start➪Administrative Tools➪Network Monitor).

Get to know NetMon, and you get to know your network much better!

When in Doubt, Check Your ServicesWhat do network servers do? They provide network services. When thingsget weird with Windows Server 2008 and you can’t find anything wrong with the network, visit the Services tool, as shown in Figure 20-1.


28_180433 ch20.qxp 2/25/08 7:52 PM Page 367

To view this display, follow this menu sequence: Start➪AdministrativeTools➪Services. Then click the Services entry to view the list of services currently installed on Windows Server 2008.

Be sure to check the entries for key services such as Computer Browser, theServer service, and the Workstation service. Make sure that the Status fieldsays Started and that the Startup field is properly set. (It should readAutomatic for services that are supposed to launch upon startup.)

Many times, when the network shows no obvious problems, you may findthat a key service has been paused or stopped or has simply quit for somereason. If a service has stopped, refer to the Event Viewer to find out whybecause a stopped service usually indicates a serious problem that will recur.

Handle Names and Addresses EfficientlyThe only way to find something on a network is to know its address. Alas,human beings are better at remembering symbolic names than numericaddresses (or worse yet, the arcane bit patterns that computers use toaddress one another).

This means a lot when you operate a working network, but two primary concerns from a troubleshooting perspective are:

Figure 20-1:The

Servicestool

indicatesthe status

for allservices

installed onWindows

Server 2008.


28_180433 ch20.qxp 2/25/08 7:52 PM Page 368

� The services that provide name-to-address translation must be properlyconfigured and working correctly for users to use a network effectively.

� Network addresses, subnet masks, and related information (such asdefault gateways, router addresses, and so on) must be unique, properlyspecified, and in substantial agreement for computers to use a network properly.

Symptoms of trouble in this area are many and varied. Duplicate addressesusually cause all holders of the same address to drop off the network. Invalidnames or addresses simply can’t be reached and may require serious trou-bleshooting to correct. Active Directory may be unavailable or not workingfor some reason or another. (In general, check the spelling of names carefullyand the numeric values for addresses equally carefully.)

Fortunately, problems in this arena usually make themselves known duringinitial configuration or when settings change. If you simply check your settings and assumptions against a known, working set of values, you canusually undo such woes quickly and painlessly.

Ask What’s New or DifferentWhen troubleshooting a network, what’s new or what’s changed is often asource of trouble. Thus, when you investigate network snafus, be sure to askyourself, “What’s new?” and “What’s different?” right away, and then answerin as much detail as possible. While digging up those gory details, you willoften uncover the source of the trouble and can determine its solution, all inone swift fell swoop.

Savvy network administrators keep a log of changes and additions to serverson their networks, so when those key questions get asked, answers are imme-diately forthcoming. You could do worse than to emulate these professionals!

If You Need Help, AskOccasionally, when troubleshooting a system, you run into problems that areso mysterious or baffling that you won’t have a clue about how to correctthem. When that happens, don’t tear out your hair — ask for help instead.


28_180433 ch20.qxp 2/25/08 7:52 PM Page 369

If you’re having a problem with Windows Server 2008, your first (and hope-fully, last) source of support should be the various Microsoft Web pages onthe product. The Microsoft Small Business Center is a good place to start (www.microsoft.com/smallbusiness/support/technical-overview.aspx). If you get stuck, you can always visit the online forumswhere other Windows Server 2008 users and experts congregate. You canalso check the TechNet CD (you can order it from www.microsoft.com/technet) or the Microsoft Developer Network (which you can join at www.msdn.microsoft.com).

If the problem is with a piece of hardware, check the manufacturer’s Web siteor bulletin board for a driver update. If that doesn’t lead to a happy dance,you may have to pay that vendor’s tech support operation for some advice,too. If you can determine a problem’s root cause, you can often get help fromthose who know that root the best. Even if it costs you, think of the valuabletime (and aggravation) you’ll save. Better to light a candle than curse the darkness!

Watch Network Trouble SpotsThe best way to shoot network trouble and other types of system problemsis to stop them before they happen. The only way to prevent problems andkeep your network running is to study your network environment closely and carefully and figure out where its weak points are. Do this before yournetwork demonstrates its weaknesses to the world at large by breaking.

If you keep an eye on potential trouble spots and perform regular mainte-nance and upkeep activities (such as scheduled backups, file-systemcleanups, upgrades, service packs, and hotfixes), you can prevent problems.And believe us, preventing problems isn’t just less work, it’s also the cause of far less unwanted notoriety than fixing things after they break. Don’t feelcompelled to learn this the hard way!


28_180433 ch20.qxp 2/25/08 7:52 PM Page 370

Part VIAppendixes

29_180433 pp06.qxp 2/25/08 7:53 PM Page 371

In this part . . .

Consider this part of the book a no-charge addedbonus to the preceding primary chapters, and you’ll

get a good sense of why this stuff is in here. We want toprovide our readers with some additional information andbackground to help them appreciate why server PCs aredifferent from desktops, and we want to help them adaptto the brave new world of Windows Server 2008–basednetworks.

In one of our appendixes, we tackle networking compo-nents and technologies most likely to be of interest tothose who work with network servers, such as TOE (notthose little wrinkly things at the end of your feet, ratherspecial hardware called a TCP/IP Offload Engine, which isdesigned to take the work involved in processing networkpackets from your CPU and turn it over to your networkinterface card instead — and you thought you didn’t needthis, eh?). And last but by no means least, we providepeerless pointers to nonpareil sources for Windows trou-bleshooting. You may not find them interesting to read forentertainment value, but when you need them, you’ll beglad you have them!

29_180433 pp06.qxp 2/25/08 7:53 PM Page 372

Appendix A

Server Components and Technologies

Like most server operating systems, Windows Server 2008 performs at its best if equipped with more of everything: more CPUs (and more CPU

power), more RAM, more storage, and more and faster network interfaces. Inthis appendix, we cover key server components, explain briefly how theywork and what kinds of options you have available, and describe price andperformance tradeoffs you’ll encounter when pondering spending more orless money to acquire more or less performance.

In the sections that follow, we discuss the following topics as they relate toserver platforms and hardware:

� Server motherboards: What makes them different and special as compared to their desktop brethren

� Processors: Why more CPUs with more cores get more work done, aswell as what makes server processors different from desktop CPUs

� Memory (RAM): Why more is nearly always better, and what makesserver RAM different from desktop RAM

� Disk drives, controllers, and RAID arrays: High-speed disk drives, special-purpose disk controllers, and disk arrays all combine to giveservers a decidedly different take on storage than is typical for desktops.

� Network interfaces: TCP/IP Offload Engines (also known as TOE), higher speeds, and multiple interfaces put servers on a different networking path than most desktops or workstations walk.

Our goal is to describe what kinds of things are available and how much they cost, what kinds of features and functions you should look for, and whatkinds of tradeoffs you’ll have to make between cost and performance.

30_180433 bapp01.qxp 2/25/08 7:53 PM Page 373

Server MotherboardsYour choice of server motherboard will determine most of the other components that go into a server, so in many ways, it’s both heart and soul of any resulting server. The motherboard

� Includes one or more CPU sockets (which determine what kind of central processor you use) and memory sockets (which determine howmany and what kind of memory modules you use).

� Includes (usually) two GbE network interfaces and sets the foundationfor networking capability.

� Defines base-level RAID support.

� Includes bus slots to accommodate additional network interfaces orRAID controllers you may decide to use instead.

Table A-1 describes the basic options to which you should attend whenchoosing a server motherboard.

Table A-1 Windows Server MotherboardsItem Number Notes

(Low–High)

CPU sockets 1–4 For low-end servers, one or two CPUsockets usually suffice.

CPU types Varies Important to check what kinds ofCPUs will fit, both for matching and tomeet performance requirements.

Bus speed 800–1333 MHz Faster buses provide better perfor-mance but require more expensivehardware devices.

Chipsets Varies Determine memory handling, disk I/O,graphics, and bus access.

Disk controllers Varies Look for SCSI and RAID or SATA andRAID support.

Memory (RAM) 4–8 slots Look at number of slots, maximum sizeand speed per module, also look fordual-channel and ECC support.

374 Part VI: Appendixes

30_180433 bapp01.qxp 2/25/08 7:53 PM Page 374

Item Number Notes(Low–High)

PCI Express slots 1–3 Look for one or more 8x slots, plus oneor more additional PCI-e x1, PCI-e x4,and PCI-X slots.

Built-in graphics 1 Nice to have, but not strictly requiredas long as one PCI slot is available fora graphics card.

Ports/connectors Varies You need at least two USB ports, plusthe means to connect a mouse andkeyboard.

Whereas very few desktop and only some workstation motherboards includetwo or more CPU sockets, many server motherboards support two or more.And whereas $300 is a lot for a desktop motherboard and $400 is a lot for aworkstation motherboard, many server motherboards cost $500 or more.You’ll want to make sure the motherboard supports the type of disk drivesyou wish to use and can accommodate enough memory to meet your performance requirements.

Good server motherboard manufacturers are many but the best-known players include Intel Corporation, Tyan, and Asus. On the Intel side, look formotherboards that support Socket 771 for one or two Xeon processors; onthe AMD side, look for 2000 or 8000 series Socket F processors.

Server ProcessorsYou’ll want to attend to many things when choosing CPUs for server use.Chief among those are the number of cores per processor, which defines thenumber of independent working units inside each processor package, or chip.We recommend at least two cores per processor and at least four cores perserver, which means you can purchase a motherboard with a single socket aslong as you’re willing to buy a quad-core processor; if you buy a two-socketmotherboard, you can go with two dual-core units. See Table A-2 for more onour recommendations for Windows server processors.

375Appendix A: Server Components and Technologies

30_180433 bapp01.qxp 2/25/08 7:53 PM Page 375

Table A-2 Windows Server ProcessorsItem Number Notes

(Low–High)

CPU cores 1–8 For low-end servers, two or four cores perprocessor usually suffice.

CPU speed 1.8–3.0 GHz Faster processors perform better but alsoconsume more power and produce morewaste heat.

Maximum 266–667 MHz Faster memory performs better but memory speed costs more.

For most of the readers of this book, the AMD 1000 and 2000 series Opteronprocessors and the Intel Xeon 3000 series processors will probably make themost sense. These come in single, dual, and quad-core models, and pricesrange from a low of around $120 to as much as $300 each. Count on buyingtwo, and your budget will be appropriately conservative.

Server Memory (RAM)The kind and amount of memory that servers use differs drastically from that found in most desktop and workstation PCs. All of these kinds of PCs use memory modules, which are usually called DIMMS (double inlinememory modules), that indicate support for a 64-bit-wide data path to thememory chips onboard. To begin with, most servers use a special type ofrandom access memory (RAM) that’s called registered ECC. Each of thesewords has a special meaning:

� Registered: This means that the memory uses a special storage areacalled a memory register (register, for short) in which it stores informa-tion to be written to the memory module. This slows down memoryaccess by one clock cycle to access the register (instead of directly reading from or writing to memory locations), but ensures that data isboth stable and reliable, which are eminently desirable characteristicsfor server use.

� ECC: This stands for Error Checking and Correction, which basicallyuses additional memory chips to hold error check data about valuesstored in memory. As values are read, error check data makes sure thedata is correct, and when a single-bit error is detected, this kind ofmemory can fix such errors. ECC memory generally runs a little bitslower (two percent slower, according to some estimates) than conven-tional non-ECC memory, but it ensures that data is correct and errorfree, which are also eminently desirable characteristics for server use.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 376

ECC memory modules must be purchased as such and generally cost anywhere from two to three times as much as non-ECC memory of the samespeed. Is it worth it? For server use, most definitely. Typical price ranges forDDR2 ECC memory appear in Table A-3.

Table A-3 Windows Server MemorySpeed Size Low $ High $ Designation

400 MHz 1GB $35 $70 PC2-3200

400 MHz 2GB $100 $130 PC2-3200

533 MHz 1GB $55 $90 PC2-4200

533 MHz 2GB $100 $150 PC2-4200

667 MHz 1GB $60 $100 PC2-5300

667 MHz 2GB $200 $300 PC2-5300

When it comes to buying server memory, get the fastest that your mother-board will support. Experience has also taught us that you should fill slots inpairs (to make best use of dual-bank capabilities) and that you should fill asmany slots as you can afford when you put your system together. (Becausememory technology changes rapidly, newer, faster memory often costs lessthan older, slower memory.) We recommend nothing less than 4GB for aWindows Server 2008 32-bit system and nothing less than 8GB for a WindowsServer 2008 64-bit system.

Disk Drives, Controllers, and RAIDWhen it comes to choosing storage for a server, one fundamental selectiondrives the rest of the process. Modern servers tend to use either the SCSI(Small Computer Systems Interface) or SATA (Serial Advanced TechnologyAttachment, also known as Serial ATA) hard drives. Each type of driverequires its own unique disk controller, so choosing SCSI means that youmust also use a SCSI controller, and choosing SATA means that you must alsouse a SATA controller.

Windows servers also have another typical wrinkle — namely, a typical setupapproach where one drive, or a pair of mirrored drives, is used for operatingsystem files and information, and other drives (often in a RAID array) areused to store data and applications for user access. Thus, it isn’t unusual touse two disk controllers on a server: one to handle the operating systemimage and related files and the other to handle data drives.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 377

Windows distinguishes between two primary sets of disk structures relatedto any Windows system, including a Windows server. The system volume(also known as the system partition or system drive) contains the hardware-specific files needed to start Windows up, including Ntldr, Boot.ini, and Ntdetect.com, among others. The boot volume (also known as the boot partition or boot drive) contains the Windows operating system and supporting files (which typically reside in the ...\WINDOWS and ...WINDOWS\System32 folders, respectively).

Because most modern server motherboards usually include both SCSI andSATA controllers (although not always with RAID for both types of drives), it’s a fairly common practice to use SATA for the Windows operating systemdrive, and SCSI for the data drives, usually in a RAID 5 or RAID 10 array. (Weexplain these terms later in this section.) Sometimes, you’ll use a pair of mirrored drives for the Windows operating system to ensure extra reliabilityand improved performance.

SCSI versus SATA drivesThe short version of this discussion is that SCSI is faster and more expensivethan SATA. The longer version gets a little more complicated. Let’s start bylooking at typical drive speeds for the two technologies, as shown in Table A-4. Because 3.5" drives are invariably used in servers nowadays, we restrictourselves to that form-factor. (Other form-factors are smaller and sloweranyway, the laws of rotational physics being what they are, but smaller drivesare used far more frequently in notebook PCs than any other kind, and almostnever in servers.)

Table A-4 Typical SCSI and SATA 3.5” Drive SpeedsType RPM Cost/GB Capacity Remarks

(Low–High) (Low–HIgh)

SATA 7,200 $0.20–$0.40 40GB–1TB Larger, more capabledrives cost more; sizesrange from 80GB to 1TB.

SATA 10,000 $1.33–$2.02 74–150GB WD Raptor models, avail-able in only two sizes, arethe only 10,000 RPM SATAdrives available.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 378

Type RPM Cost/GB Capacity Remarks(Low–High) (Low–HIgh)

SCSI 10,000 $1.48–$2.45 146–434GB Most major drive manufacturers offer suchdrives but none in sizeslarger than 4xxGB.

SCSI 15,000 $4.10–$8.97 36–46GB Same as for 10K RPMSCSI drives, except sizestop out at 146GB.

There’s a very interesting moral to be drawn from the foregoing table. Unlessyour server must absolutely scream with disk speed, the best storage valuecomes from 7,200 RPM SATA drives. With Seagate now offering perpendicularmagnetic recording (PMR) drive technologies that basically stand bit regionssideways on the disk platter and therefore cram data into hitherto unheard-ofdata densities, you can get very good performance from drives that rangefrom 320 to 750GB in size, at prices from 25 cents to 28 cents per GB.

High-performance junkies will often use a WD 10,000 RPM Raptor or a 10,000or 15,000 RPM SCSI drive for the Windows system drive, but even these folksare increasingly turning to 7,200 RPM SATA drives for data RAID arrays.

The whole SCSI versus SATA subject continues to be a raging debate in serverhardware circles. Some of the most interesting outlooks on this subject comefrom well-known system builder Puget Custom Computers. Its “SCSI vs SATA,Which is Faster?” article includes fascinating explanations and test results toback up its contention that SATA is more or less edging SCSI out of the serverstorage game. Find it online at www.pugetsystems.com/articles.php?id=19.

SCSI versus SATA controllersThe other side of the storage equation is the disk controller. Those who needfast storage usually also opt to purchase add-in disk controller cards, andeschew controllers and RAID circuitry built into most modern server mother-boards. Those who can stomach the higher costs of 10,000 or 15,000 RPMSCSI drives should also prepare to swallow additional costs for suitable disk controllers.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 379

Even modest SCSI RAID controller cards (like the Adaptec 2246200-R) costmore than $300, and a high-end version (like the Adaptec 2185900) costsmore than $700. A minimal RAID array usually requires at least three diskdrives, where it isn’t unusual for them to include as many as seven drives.(The max for most SCSI controllers is 15 devices per SCSI channel.) On theSATA side, costs are pretty similar: Low-end RAID controllers start at about$200 (like the Adaptec 2220300-R) and approach $700 at the high end (like theAdaptec 2251600). SATA controllers can typically handle many more devices,however, where high-end controllers top out at 128 devices in total.

When choosing a disk controller for your server, two additional selection factors come into play:

� Bus slot: A disk controller is an interface card and, therefore, must pluginto an interface slot. Most servers come equipped with one or more ofeach of the slot types described in Table A-5. Be aware that the fasterthe bus speed for a given slot, the more a controller card that uses sucha slot typically costs.

� Slot contention: When designing a server, multiple interface cards may end up competing for scarce slot space. This makes the numberand type of slots available on a motherboard an important considerationfor its purchase, and putting some thought into what kinds of cards you want to put in your service is equally important. You may have tobalance the need for fast storage — which requires a disk controllercard — against the need for fast network access — which may mandateone or two high-speed TCP/IP Offload Engine (TOE) network adapters.

This can force some tough choices, and may occasionally appear to argue forthe wisdom of Solomon in choosing faster storage versus faster networking.

Table A-5 Server Bus Slot Speeds and FeedsName Bus Speed Bit Width Maximum Remarks

Throughput

PCI 33 MHz 32 bits 132 MB/s Common PC utility bus.

PCI64 133 MHz 64 bits 1066 MB/s Occasionally found onserver motherboards.

PCI-e x1 33 MHz 1 bit 250 MB/s All PCI-e buses are bidi-rectional. (Throughputshown is one-way only;total possible amount isdouble.)


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 380

Name Bus Speed Bit Width Maximum RemarksThroughput

PCI-e x4 33 MHz 4 bits 1.0 GB/s Used for some disk controllers.

PCI-e x8 33 MHz 8 bits 2.0 GB/s Used for many disk con-trollers and TOE networkadapters.

PCI-X 66–133 MHz 64 bits 1.08 GB/s Popular server bus technology.

Typically, you find between one and three PCI-e x8 slots on a server mother-board, and one or two PCI-X slots as well. If the numbers permit, you can useeither one for disk controllers and network adapters. The important thing is to purchase a motherboard that has enough of the right kinds of slots tomeet your needs.

There’s also a case to be made at the low end of the server spectrum that you should try to use built-in controllers and adapters first and move to moreexpensive add-in cards only if built-ins don’t cut it. But because this meansyou still need the right number and kind of bus slots to add any adapters you need, it’s wise to pay attention to bus slots even if you don’t intend tostuff them immediately after the purchase of the motherboard on which they reside.

Building RAID arraysThe full expansion for the RAID acronym holds the meat of its technologystory: A redundant array of inexpensive disks uses conventional disk drives ina group and achieves performance, reliability, and availability gains by doingso. Using RAID of any kind requires multiple drives to work — at least twoand as many as six (for the various types of RAID we’re about to explain,compare, and contrast in this very section) drives are needed to support different RAID schemes.

RAID schemes go by the numbers, starting with 0 through 6, plus 10, 50, andother designations. Here we examine only those types of RAID most oftenused on Windows servers (but we do provide a couple of pointers at the endof this section to where the curious or the technically motivated can learnabout “missing numbers” if they like). For convenience, we list them innumerical order in Table A-6, starting with zero.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 381

Table A-6 RAID Schemes and CharacteristicsName Minimum Typical Failure Remarks

Disks

0 2 3–5 0 Striping across multipledrives; no redundancy or faulttolerance; offers best perfor-mance improvement; easy toimplement.

1 2 2 1 Also known as disk mirroringor duplexing, copies every-thing onto each drive in a pair;easiest recovery from failure;hardware controller recom-mended.

0+1 4 4–10 1 Stripes across mirrored pairs;expensive with high overheadbut offers very high datatransfer performance.

5 3 5–7 1 Striping with parity, 1/n over-head (n = number of drives);keeps running even if a singledrive fails; hardware con-troller required.

10 4 6–10 1 Combines striping with mirroring (all drives are in mirrored pairs and all pairsare striped); expensive andhigh overhead but high reliability and performance.

50 6 6–10 2 Combines parity and stripingacross two or more RAID 3(parity) sets; very expensivebut very resilient to drive failure.

In RAID arrays, all disks are usually the same kind, make, and model to permitthem to work together most effectively. Another technology, called JBOD(just a bunch of disks), works like RAID 0 to stripe data across any number ofdisks (2 to 15, practically speaking) where the disks need not be the same.Striping essentially distributes data across all drives in an array so that readsand writes can be broken up and distributed across all of them. This provides


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 382

a nice boost to overall performance. People usually use RAID 0 or JBOD for a performance boost, but because it confers no added reliability, these technologies aren’t used very often on servers.

Disk mirroring or duplexing requires 100 percent overhead in exchange forincreased reliability. Essentially, two drives each contain a copy of the samething so that if one fails, the other one can keep chugging right along.

� Mirroring generally refers to “two drives, one controller,” so that if thecontroller fails, the whole array goes down.

� Duplexing refers to “two drives, two controllers,” so that if one drive orcontroller fails, the working drive and controller keep on truckin’.

When RAID 1 is used on servers, it’s most often used for the Windowssystem/boot drive, because that allows it to keep working even if one of thedrives fails with little or no downtime for repairs and reconstruction. Whenboth drives are working, two reads are possible for the set, which effectivelydoubles read speed as compared to a single drive. Write speed remainsunchanged because data must be written to both drives to keep the mirrorsynchronized.

Disk striping with parity enables control data about a collection of datablocks to be written to the only drive where none of that data resides. If asingle drive fails, this lets any single stripe be reconstructed from the portions on the still-working drives that are intact, plus the parity data on theparity drive for that stripe. The controller mixes things up so that no singledrive failure results in the loss of parity data needed to reconstruct missingstripe elements. RAID 5 also offers the highest read data transaction ratesand medium write data transaction rates, and it’s widely used on servers thatneed improved performance and reliability.

RAID 0+1, 10, and 50 are all pretty complex and expensive, and they’re usedmore often in high-end, high-volume environments than on servers in smallbusinesses or SOHO situations. You’ll see that many of the disk controllersthat support RAID offer these options, but they aren’t as applicable for low-end to medium-demand server situations.

High-End Network AdaptersAs with disk controllers, network adapters for various server buses are available. You can find versions of such adapters for the PCI, PCI-e x1 and x4,and the PCI-X buses. When shopping for such cards, make sure that WindowsServer 2008 drivers are available for them, or you won’t be able to put themto work on your server.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 383

Vendors who offer TCP Offload Engine adapters invariably also require instal-lation of the Windows TCP Chimney Offload on those Windows Server 2008systems on which they’re to be used. This essentially equips the driver tohand over TCP processing, including IP address information, ports in use,packet sequence numbers, and so forth, without requiring the server CPU(s)to get involved. For any kinds of connections that persist over time and uselarge packet payloads — such as network storage access, multimedia stream-ing, and other content-heavy applications — TCP Chimney Offload reducesCPU overhead by delegating network packet processing, including TCP segmentation and reassembly, to the network adapter. In turn, the CPU isfreed up to do other things, such as handle additional user sessions orprocess application or service requests more quickly.

Vendors that offer network adapters that work with Windows operating systems are listed in Table A-7, along with price ranges, product descriptions,and URLs.

Table A-7 Windows TOE Network AdaptersVendor Product Prices Description URL

Alacritech SENxxxx $449–849 1–4 ports, fiber www.alacritech.

& copper, PCI, com

PCI-X

Chelsio S30xx $795–1,495 2–4 ports, copper, www.chelsio.com

PCI-e x1, x4, PCI-X

Dell NetXtreme II $100 Model 5708, www.dell.com

1 port, PCI-e x1

HP Bladesystem $225–400 1 or 2 ports, www.hp.com

PCI-X, NC370i, NC373m

For servers that support less than 25 simultaneous users, a network adapterwith TOE capability is overkill. If servers support 25–100 users, a networkadapter with TOE becomes increasingly helpful, and when handling over 100users, it helps to keep the server available to handle other tasks as well asmanaging its network connections.


30_180433 bapp01.qxp 2/25/08 7:53 PM Page 384

Appendix B

Windows TroubleshootingResources

Windows Server 2008 is something of a world unto itself. In fact, it’s a large, complex, and pretty interesting world, as the attached

collection of recommended Windows Server 2008 resources in print andonline illustrate.

In the sections that follow, we look at books and magazines that addressWindows 2008 topics, as well as a plethora of Web sites, forums, newsgroups,and more. We start with a series of enthusiastic nods to the source forWindows Server 2008 and a whole raft of additional information andresources — namely, Microsoft itself. After that, we trip over numerous thirdparties in print and online. Along the way, you should find some fabulousgoodies to help you learn more about Windows Server 2008, understand itbetter, and deal with troubles, trials, and tribulations related to that operating system as and when they should happen to come up.

Marvels from MicrosoftAs the company that built the Windows Server 2008 operating system, it’sonly natural that Microsoft should also have a lot of information to shareabout this product. And it doesn’t disappoint in any way, either in terms ofvolume, coverage, technical depth, and more, more, more than many willever want to know about Windows Server 2008. We present all of the important online links at the Microsoft sites in Table B-1, each of whichincludes a name so we can also expand a little on this content in a bulletedlist of explanations that follows the table.

31_180433 bapp02.qxp 2/25/08 7:53 PM Page 385

Table B-1 Microsoft Windows Server 2008 Resources OnlineName URL

Blogs www.microsoft.com/communities/blogs/PortalHome.mspx

Microsoft Press www.microsoft.com/mspress/hop

TechNet forums: forums.microsoft.com/TechNet/Server 2008 default.aspx?ForumGroupID-

161&SiteID=17

TechNet SysInternals www.microsoft.com/technet/Web page sysinternals/default.aspx

Windows Server 2003 https://www.microsoft.com/newsgroup technet/prodtechnol/windows

server2003/newsgroups.mspx

Windows Server 2008 www.microsoft.com/windowshome page server2008/default.mspx

Windows Server 2008 www.microsoft.com/learning/Learning Portal windowsserver2008/default.aspx

Windows Server 2008 http://technet.microsoft.com/TechCenter en-us/windowsserver/2008/

default.aspx

Windows Server 2008 http://technet2.microsoft.com/Technical Library windowsserver2008/en/library/

� Blogs: Important categories include Windows Server 2008, WindowsLonghorn Beta 1, and Windows Longhorn Beta 2. This is where you can find developers, trainers, and key “idea people” from Microsoftexplaining what’s up and what’s going on with Windows Server 2008.

� Microsoft Press: This organization publishes lots of materials about thecompany’s platforms, most notably the Resource Kit titles that act asgeneral technical encyclopedias for the company’s operating systems.This Web page tells you what’s coming down the pike from the press,and while we see numerous interesting Windows Server 2008 resourcekit titles on IIS 7.0, Group Policy, Active Directory, productivity solutions,and more as we write this list, we don’t see a single monolithic WindowsServer 2008 Resource Kit. (These sometimes take 6–12 months after product release to arrive in print, however.)

� TechNet forums: TechNet is the Microsoft Technical Network, itself ahuge compendium of technical information on Microsoft offerings.Among those offerings are online forums, including those for Windows


31_180433 bapp02.qxp 2/25/08 7:53 PM Page 386

Server 2008 mentioned in the URL (but you can find information aboutanything and everything Microsoft-related through TechNet).

� TechNet SysInternals Web page: SysInternals is a formerly independentcompany that’s now part of Microsoft, and its outstanding library ofWindows administration tools is still available online. Check out the freetools available at this URL in all of these covered categories: file and disk utilities, security utilities, networking utilities, system informationtools, process utilities, and miscellaneous stuff. You’ll find a surprisingnumber of real gems here. (We’re especially fond of TCPView, BgInfo,ProcessMonitor, and the Registry defragmentation tool, PageDefrag.)

� Windows Server 2003 newsgroup: As we write this, no official WindowsServer 2008 newsgroups are defined yet, but we expect them to show up in a windowsserver2008 directory like the windowsserver2003/newsgroups entry we include by way of indirect reference here.

� Windows Server 2008 home page: This is the primary jumping off pointin the Microsoft Web pages for all things related to Windows Server2008. You’ll find pointers to all the other Microsoft resources mentionedhere, and more, on this Web page.

� Windows Server 2008 Learning Portal: This is where you can turn foraccess to official Microsoft Windows Server 2008 training materials andinformation. At present, Microsoft is offering a free e-book and a freefour-part introductory online course on Windows Server 2008 to allcomers, but by the time you read this, you’ll probably find differentoffers and information there instead.

� Window Server 2008 TechCenter: This is home to the Windows Server2008 Technical Library, related community resources online, links topopular downloads and recent Knowledge Base articles, and additionalresources as well. It’s an outstanding clearinghouse for technicalWindows Server 2008 information. Elements of the Technical Library are also available in convenient downloadable form from the WindowsServer 2008 Step-by-Step Guides page (www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en). We also provide a direct link to theWindows Server 2008 Technical Library, which is starting to flesh outsignificantly as this new OS is readied for release.

Windows Server 2008 BooksA quick hop up to your favorite online bookstore will no doubt augment thislist immediately, but here are a couple of titles we’ve heard good things aboutas we’re working on our own book (and as Microsoft continues to readyWindows Server 2008 for its commercial release).

387Appendix B: Windows Troubleshooting Resources

31_180433 bapp02.qxp 2/25/08 7:53 PM Page 387

� Administering Windows Server 2008 Server Core, by John Paul Mueller(Wiley Publishing, February 2008) is designed to serve as both a tutorialand a desk reference for administrators. This book includes a discussionof the new interface, describes how to perform all kinds of tasks, andprovides a complete reference for relevant Server Core commands.Topics included cover performing essential maintenance, executing registry hacks, automating routine tasks, managing hardware, managingthe network, working with TCP/IP, working with applications and data,monitoring system events and performance, managing users, and securing your system. Mueller’s book makes an excellent supplement to this one.

� Windows Server 2008 Implementation and Administration, by BarrieSosinsky (Wiley Publishing, February 2008). This book provides a conciseinstruction for IT professionals already trained to use earlier versions of Windows Server. It dispenses with common networking Windows technology and concepts that administrators already know, such asDHCP, DNS, and basic Active Directory to concentrate on the crucial features of the new operating system. This book seeks to bridge the oldto the new without making readers relearn familiar material. Thus, thisbook contains topics that might be found in other Windows Server 2008books, but it’s organized to enable the reader to use these technologiesmore quickly. As much as possible, the book presents instructional how-to material with an eye toward teaching administrators to useWindows Server 2008 in new and more productive ways.

Server-Friendly PublicationsThe entire computer trade press always covers Microsoft, to a greater orlesser extent. Table B-2 points you to publications where you’re most likely to find information relevant to the needs and interests of system or networkadministrators, and other IT professionals, who are among the people most likely to work with Windows Server 2008 on a day-to-day basis.

Table B-2 Windows Server PublicationsName URL

Microsoft Certified Professional www.mcpmag.comMagazine Online

Windows IT Pro Magazine www.windowsitpro.com

Redmond Magazine www.redmondmag.com


31_180433 bapp02.qxp 2/25/08 7:53 PM Page 388

� MCP Magazine, as this publication is better known, caters to certifiedMicrosoft professionals, most of whom manage Windows systems andservers for a living. This isn’t an exclusively server-focused publication,but it provides lots of useful information about Microsoft operating systems and technologies.

� WindowsITPro Magazine is probably the best and most highly regarded ofthe specialty publications that focus on Windows-oriented IT profession-als. This publication does a great job of covering server hardware, soft-ware, and operating systems and should continue to be a great source ofinformation on Windows Server 2008 for interested professionals.

� Redmond Magazine is another publication that caters to the needs ofworking IT professionals with a Windows focus. This publication alsodoes a good job of covering server hardware, software, and operatingsystems, and it’s also devoting increasing coverage to Windows Server 2008.

Other Third-Party Windows Server 2008 Sources

To some extent, we appreciate the existence and variety of third parties who also provide information about Windows Server 2008. That’s becauseMicrosoft sources must toe the company line and can’t always be as exact (or as direct) when it comes to identifying trouble spots and how to workaround them. Typically, that’s where the third parties really come into theirown, and it’s what makes them so worth attending to, as listed in Table B-3.

Table B-3 Other Third-Party Windows Server ResourcesName URL

Windows Server http://teamapproach.ca/troubleTroubleshooting

WindowsNetworking. www.windowsnetworking.comcom

ZDNet Troubleshooting http://downloads.zdnet.com/download.Windows Server 2003 aspx?docid=172733

389Appendix B: Windows Troubleshooting Resources

31_180433 bapp02.qxp 2/25/08 7:53 PM Page 389

� Windows Server Troubleshooting: The Canadian Team Approach grouphas put a stellar server troubleshooting guide together here. Although it doesn’t yet include many Windows Server 2008 specifics, we expectthem to remedy this in the near future. It’s one of the best general troubleshooting references we’ve ever seen anywhere.

� WindowsNetworking.com: This is a Web site that caters to professionalIT administrators who manage Windows servers, among other elementsof the IT infrastructure. Among this site’s many attractions are articleson current and emerging technologies, a large collection of informationand tips under an “Admin KnowledgeBase” heading, plus tutorials on allkinds of subjects bound to be of interest to anybody who manages aWindows Server of just about any vintage, including Windows Server2008. See a collection of Windows Server 2008 articles and tutorials atwww.windowsnetworking.com/articles_tutorials/Windows_Server_2008.

� ZDNet Troubleshooting Windows Server 2003: The editors at ZDNethave done a great job of assembling a detailed, thorough WindowsServer 2003 troubleshooting guide. While we hope they’ll do likewise forWindows Server 2008 ASAP, there’s a lot in here that remains fresh andrelevant, even for those who use Windows Server 2008 instead.


31_180433 bapp02.qxp 2/25/08 7:53 PM Page 390

• Symbols and Numerics •100 Mbps Ethernet, 67100BaseT standard (Fast Ethernet), 67100BaseVG-AnyLAN standard, 67802.11 wireless support, 64

• A •AAM (Admin Approval Mode), 17access

to applications, 33–34authenticated, 16controlling, 36printer, 167–168problems with, 225–226remote, 109to trusts, 154unauthenticated, 16user, 275–277

Access Control Lists (ACLs), 149,227–229, 337–338

access methods, 66access points (APs), 16access tokens, 230Account Lockout Policy, 273Account tab, 208accounts

Account Lockout Policy, 273Administrator, 202–203decoy, 278domain user, 202dummy, 278Guest, 202–204HelpAssistant, 203SAM (Security Accounts Manager),

118–119, 140UAC (User Account Control), 17, 337

usermanaging, 211properties, 201–204

user account objects, 201ACLs (Access Control Lists), 149,

227–229, 337–338ACT (Application Compatibility Toolkit),

75, 294activation, 88–89Active Directory (AD). See also Active

Directory Users and Computersconsole

directory permissions, 149–152directory services, 115–116domain controllers

overview, 118–122roles, 137–139

featuresglobal catalogs, 125–126overview, 121–122replication, 122–124schemas, 124–125

installing, 129–132locating data, 118management of

ADSI, 148creating directory objects, 145–147finding directory objects, 148overview, 144Users and Computers console,

144–145managing data, 117–118multimaster replication, 141–144multiplying domains, 133–136organizing data, 116–117overview, 36, 115, 137planning for, 126–129trust relationships, 140, 152–154

Index

32_180433 bindex.qxp 2/25/08 7:53 PM Page 391

Active Directory Certificate Services(AD-CS), 97

Active Directory Domain Services (AD-DS), 97

Active Directory forests, 122, 125Active Directory Installation Wizard,

127, 137Active Directory Lightweight Services

(AD-LDS), 98Active Directory Rights Management

Services (AD-RMS), 98Active Directory Scripting Interface

(ADSI), 144, 148Active Directory Users and Computers

consoleaccess problems, 225–226creating accounts

Account tab, 208Address tab, 208Dial-in tab, 211General tab, 208Member Of tab, 210Organization tab, 210process of, 204–211Profile tab, 208–209Telephones tab, 210

group policiesadministering, 219–220auditing, 224creating, 222–223overview, 219processing of, 221–222

groupsbuilt-in, 215–217creating, 214managing, 215overview, 212scopes, 212–214

overview, 144–145, 201user accounts

managing, 211properties of, 201–204

user profiles, 217–219Active Server Pages (ASP), 11

AD. See Active Directory; ActiveDirectory Users and Computersconsole

AD Directory Service (DS), 36AD-CS (Active Directory Certificate

Services), 97Add Printer icon, 160–161add-in cards, 287–289address pools, 196Address tab, 208addresses, network, 368–369. See also

Internet Protocol (IP) addressesAD-DS (Active Directory Domain

Services), 97AD-LDS (Active Directory Lightweight

Services), 98Admin Approval Mode (AAM), 17administrative control, delegating,

151–152administrative shares, 277–278Administrator accounts, 202–203administrator role, 330AD-RMS (Active Directory Rights

Management Services), 98ADSI (Active Directory Scripting

Interface), 144, 148advanced permissions, 233Advanced Security Settings dialog box,

150, 233–234Advanced tab, 170Allow or Deny setting, 232AMD servers

administrator role, 330building

inserting PSU, 319–320installing hard disk drives, 326–327installing optical disk, 328–329installing OS, 329–330overview, 319seating CPU and cooler, 320–324seating RAM modules, 324–326setting up hardware, 329

cases, 318CPUs, 316–317



disk space, 318memory, 317motherboards, 316–317network connections, 318overview, 315–316power supplies, 318

answer files, 356API (application programming interface),

28, 193application access, 33–34Application Compatibility Toolkit (ACT),

75, 294Application logs, 343application programming interface (API),

28, 193Application Server (AS), 98Applications and Services logs, 343APs (access points), 16archive bit, 244AS (Application Server), 98ASP (Active Server Pages), 11ASR (Automated System Recovery),

88–90ATL (Automated Tape Library), 245atomic operations, 123attribute-level ACLs, 227–229attributes, 121, 228–229, 244auditing, 224authenticated access, 16automated installation, 37, 92, 356–357Automated System Recovery (ASR), 90Automated Tape Library (ATL), 245automatic address allocation mode, 31automatic client addressing, 14

• B •backbones

defined, 43overview, 69–70testing, 47

Background Intelligent Transfer Service(BITS), 100

backup destinations, 255–256backup domain controller (BDC),

119–121, 138, 140Backup facility

command line backups, 253–254destinations, 255–256media settings, 255–256overview, 102, 251–253scheduling jobs, 256targets, 254–255volumes, 254–255

backup media, 248Backup Operators group, 260–261backup units, 247–248backups

AD, 130Backup facility


Backup Operators group, 260–261evaluating tape systems, 258–260before making changes, 74, 361network versus local, 245–246overview, 241–242planning, 249–251potential threats, 242–243restoring from, 256–257storage options, 246–249third-party options, 257–260types of, 243–245

bad splices, 61bandwidth, 59, 65–68banner pages, 170baseband cable, 58–59BDC (backup domain controller),

119–121, 138, 140binary buffer comparisons, 124binary numbers, 180–181BitLocker Drive Encryption, 17, 35, 99

393Index


BITS (Background Intelligent TransferService), 100

blueline copying system, 49books, Windows Server 2008, 387–389boot drive, 378boot partition, 378Boot Protocol (BOOTP), 31boot volume, 378BOOTP (Boot Protocol), 31broadband transmission, 59brute-force attacks, 269–271budgeting, 292–293buffer coating, 60built-in groups, 215–217built-in network interfaces, 52–55bus mastering, 367bus slots, 380–381

• C •cable contractors, 58, 65cable installers, 46, 50cable segments, 69cables

baseband, 58–59coaxial, 61–62fiber-optic, 59–61HFC networks, 62–63installing, 46, 64–65overview, 57–59plenum-rated, 65twisted-pair, 59UTP, 61

cabling plans, 49–50CAD (Computer Aided Design), 42callback, 211Carrier Sense Multiple Access/Collision

Avoidance (CSMA/CA), 66–67Carrier Sense Multiple Access/Collision

Detection (CSMA/CD), 66–68Cartridge Maintenance tab, 170cases, 289–290, 302, 318

catalog compliance, 355Cheops application, 52chimney offload architecture, 28chimneys, 28chips, 375cladding, 61clients

automatic addressing, 14management of, 37networking, 21–23preferences of, 30–35setting up printing for, 168WINS, 192

clustering, 15–16, 42CMAK (Connection Manager

Administration Kit), 100coaxial (coax) cable, 61–62collapsed backbones, 43collisions, 66–68, 124Color Management tab, 170command line backups, 253–254compatibility checks, 294–295componentization, 94components

servercontrollers, 377–381disk drives, 377–379motherboards, 374–375network adapters, 383–384overview, 373processors, 375–376RAID, 377–378, 381–383RAM, 376–377

shopping for PC, 293–294Compound TCP (CTCP), 26Computer Aided Design (CAD), 42computer names, 176–177, 191–193computer rooms, protecting, 264–266configuring

ICT dialog box, 94–95overview, 93remote connections, 111–114



Server Manager applicationconsole, 96–103DHCP and DNS, 109–111directory trees and forests, 103–108IIS and WMS, 108–109overview, 95–96

Connection Manager Administration Kit(CMAK), 100

connection state, 28connection-oriented protocols, 54container objects, 145–146, 232context driven, 145contiguous namespaces, 134contractors, cable, 58, 65controllers

disk, 377–381domain

backup (BDC), 119–121, 138, 140modes, 131–132overview, 104, 118PDC emulator, 139primary (PDC), 119–121, 137promoting, 130read-only (RODC), 103, 269upgrading, 126

coolersimportance of, 291–292installing, 323–324seating, 308–309, 320–324

copy backups, 244cores, 284–285, 375CPUs (central processing units)

choosing, 316–317installing, 321–322overview, 375–376seating, 305–308, 320–324speed of, 292

Create Custom View dialog box, 342Create Time Inheritance, 240CSMA/CA (Carrier Sense Multiple

Access/Collision Avoidance), 66–67CSMA/CD (Carrier Sense Multiple

Access/Collision Detection), 66–68

CTCP (Compound TCP), 26custom installation, 359–360Custom Views container, 342

• D •daily backups, 244data collector sets, 345data losses, 242–243data transfer rates, 64database, AD, 130–131database size, 143–144data-based services, 35Datacenter Edition, Windows Server

2008, 11decoy accounts, 278deep searches, 125default gateways, 184Default-First-Site, 127Delegate Administration Wizard, 239delegating

access control, 239administrative control, 151–152

Delegation of Control Wizard, 152Desktop Experience, 100Developer Network, Microsoft, 370Device Manager application, 341, 345Device Settings tab, 170DHCP (Dynamic Host Configuration

Protocol), 31–32, 98, 109, 195–197Dial-in tab, 211dial-up clients/hosts, 111differential backups, 244DIMMS (double inline memory

modules), 376DIP (dual in-line package) switches, 82Direct Memory Access (DMA), 366directory objects, 145–148directory permissions, 149–152directory restoration mode, 130directory services. See Active Directorydirectory trees, 103–104disabling unnecessary services, 348disaster recovery, 250–251

395Index


disk controllers, 377–381disk defragmentation, 349disk drives, 377–379disk duplexing, 383disk mirroring, 383disk space, 169, 286–287, 300–301, 318distribution groups, 212DMA (Direct Memory Access), 366DNS (Domain Name Service)

Active Directory, 118–119client networking, 22IP addresses, 178, 193–195

domain controller roles, 137–139domain controllers

backup (BDC), 119–121, 138, 140modes, 131–132overview, 104, 118PDC emulator, 139primary (PDC), 119–121, 137promoting, 130read-only (RODC), 103, 269upgrading, 126

domain name registrars, 179Domain Name Service (DNS)

Active Directory, 118–119client networking, 22IP addresses, 178, 193–195

domain trees, 122, 134–136domain user accounts, 202domains, 103–104, 118–121dotted-decimal notations, 180–181double inline memory modules

(DIMMS), 376drive letters, 86dry-fit approach, 308DS (AD Directory Service), 36dual in-line package (DIP) switches, 82dual network interfaces, 287, 294Dummies.com Web site, 5–6dummy accounts, 278DVD-ROM, 75, 360–361dynamic address allocation mode, 31Dynamic Host Configuration Protocol

(DHCP), 31–32, 98, 109, 195–197dynamic inheritance, 239

• E •ECC (Error Correcting Code) memory,

286–287, 376–377ECN (Explicit Congestion Notification), 26education, security, 267–268Effective Permissions tab, 238electromagnetic interference (EMI),

59–60Enable low-resolution video option, 359encapsulated data, 28end-to-end connection, 185Enterprise Edition, Windows Server

2008, 11enterprise forests, 125enterprises, needs of, 35–38Error Correcting Code (ECC) memory,

286–287, 376–377Ethernet cable notation, 58Event logs, 342–343Everyone group, 276Exchange Server, Microsoft, 118Explicit Congestion Notification (ECN), 26explicit permissions, 150–151extender cards, 52–55extensibility, 121eXtensible Markup Language (XML)

services, 11

• F •“faceless” computers, 76Failover Clustering (FC) feature, 102failover clusters, 15–16, 42, 102fans, 291–292Fast Ethernet (100BaseT standard), 67FAT (File Allocation Table) file system,

79, 227–229, 234–235, 250Fax and Scan applet, 172–174faxing, 172–174FC (Failover Clustering) feature, 102FC-AL (Fibre Channel Arbitrated

Loops), 246Federated Rights Management, 269fiber-optic cables, 59–61



Fibre Channel Arbitrated Loops (FC-AL), 246

field-serviceable parts, 12File Allocation Table (FAT) file system,

79, 227–229, 234–235, 250file permissions, 229File Services, 98file shares, 227File Transfer Protocol (FTP), 15, 151firewalls, 18, 95, 186–187, 365Flexible Single Master Operation (FSMO)

roles, 120, 138floppy disks (floppies), 278–279Forefront Security Technologies,

Microsoft, 17forest root domains, 104forests, 103–104, 122, 135–136form-factor, 10Forward RTO-Recovery (F-RTO), 27FQDNs (Fully Qualified Domain Names),

106, 179, 193F-RTO (Forward RTO-Recovery), 27FSMO (Flexible Single Master Operation)

roles, 120, 138FTP (File Transfer Protocol), 15, 151Fully Qualified Domain Names (FQDNs),

106, 179, 193

• G •GbE. See Gigabit EthernetGDI (Graphics Device Interfaces), 156General tab, 170, 208Gigabit Ethernet (GbE)

motherboards, 52–53, 287network backups, 246network implementation plans, 40–42overview, 68

global catalogs, 122, 125–126, 148global groups, 213globally unique identifiers (GUID), 124GPDBPA (Group Policy Diagnostic Best

Practice Analyzer), 338graphical user interfaces (GUI), 80, 111graphics cards, 291

Graphics Device Interfaces (GDI), 156group policies

administering, 219–220auditing, 224creating, 222–223overview, 219processing of, 221–222

Group Policy Diagnostic Best PracticeAnalyzer (GPDBPA), 338

Group Policy dialog box, 224Group Policy tab, 220groups

built-in, 215–217creating, 214managing, 215overview, 212scopes, 212–214

Guest accounts, 202–204GUI (graphical user interfaces), 80, 111GUID (globally unique identifiers), 124

• H •hard disk drives, 311–312, 326–327hardware

for backup systems, 247–249checking, 364diagnosing startup errors, 335–336documenting, 250enhancements, 366–367requirements, 78–81, 354–355server, 355setting up, 313, 329

“headless” computers, 76health checks, 36heat buildup, 291HelpAssistant accounts, 203hertz (Hz) ratings, 59HFC (hybrid fiber-coaxial) networks,

62–63Hierarchical Storage Management

(HSM), 259high watermark vector, 124high-loss environments, improving, 27

397Index


home theater PCs (HTPCs), 10host IDs, 180–182hotfixes, 274hot-swappable drives, 287HSM (Hierarchical Storage

Management), 259HTPCs (home theater PCs), 10HTTP (HyperText Transfer Protocol), 122hybrid fiber-coaxial (HFC) networks,

62–63HyperText Transfer Protocol (HTTP), 122Hz (hertz) ratings, 59

• I •ICMP (Internet Control Message

Protocol), 55icon tray, 89icons used in this book

Key Concept, 5Remember, 5Technical Stuff, 6Tip, 6Warning, 6

ICT (Initial Configuration Tasks) dialogbox, 73, 94–95, 104

IDE (Integrated Drive Electronics)interfaces, 246

IEEE (Institute of Electrical andElectronic Engineers), 58

IETF (Internet Engineering TaskForce), 134

IIS (Internet Information Services), 11,35, 79, 99, 108–109

ILDs (injection laser diodes), 61ImageX tool, 359implementation plans, network, 39–42incremental backups, 245Indexing Service, 348inherited permissions, 150–151Initial Configuration Tasks (ICT) dialog

box, 73, 94–95, 104injection laser diodes (ILDs), 61

installationAD, 129–132cable, 46, 64–65cooler, 323–324CPU, 321–322network printing, 160–161optical disk, 312–313, 328–329OS, 314, 329–330Windows Server 2008

across the network, 75, 87–88, 356automated, 75, 92, 356–357custom, 359–360DVD-ROM, 75, 360–361from existing OS, 85–87failures, 358hardware requirements, 79–81,

354–355LKGC, 359low resolution video, 358–359overview, 73, 353planning, 73–79post-installation tasks, 88–90, 361problems with, 91–92process, 82–85professional, 46pushing, 75RIS, 88troubleshooting, 358

Institute of Electrical and ElectronicEngineers (IEEE), 58

Integrated Drive Electronics (IDE)interfaces, 246

Integrated Services Digital Network(ISDN), 109, 364

integrated virtualization, 12Intel servers

administrator role, 314building

cooler, 305–309CPU, 305–309hard disk drives, 311–312optical disks, 312–313OS, 314



overview, 303PSU, 304–305RAM modules, 309–311setting up hardware, 313

cases, 302–303CPUs, 298–299disk space, 300–301memory, 299–300motherboards, 298–299network connections, 301–302overview, 297–298power supplies, 302–303

interactive logon, 202Interactive Logon: Do Not Display Last

User Name Policy option, 278interdomain parent-child

relationships, 127internal network access, 287–289International Organization for

Standardization (ISO), 116Internet Control Message Protocol

(ICMP), 55Internet Engineering Task Force

(IETF), 134Internet Information Services (IIS), 11,

35, 79, 99, 108–109Internet Printing Client (IPC), 100Internet Protocol (IP) addresses

classes of, 181–182components of, 180configuration of

advanced, 189–191basic, 187–189overview, 187

DHCP, 195–197DNS, 193–195leasing, 184–185names

NetBIOS, 176–177overview, 175–176TCP/IP, 178–179

NetBIOS over TCP/IP, 193network IDs versus host IDs, 180–182obtaining, 184–185

overview, 175private, 179, 186problems with, 197subnetting of, 182–184translation of, 185–187WINS, 191–192

Internet Protocol (TCP/IP) Propertiesdialog box, 187–188

Internet Protocol Security (IPSec),18, 32, 185

Internet Protocol version 6 (IPv6), 25–26,29, 184

Internet SCSI (iSCSI), 54Internet Security and Acceleration (ISA)

Server, 16–17Internet Service Providers (ISPs),

111–113Internet Storage Name Server (ISNS), 100intersite replication, 141–143intrasite replication, 141–142inventories, network, 50–52IP (Internet Protocol) addresses

classes of, 181–182components of, 180configuration of

advanced, 189–191basic, 187–189overview, 187

DHCP, 195–197DNS, 193–195leasing, 184–185names

NetBIOS, 176–177overview, 175–176TCP/IP, 178–179

NetBIOS over TCP/IP, 193network IDs versus host IDs, 180–182obtaining, 184–185overview, 175private, 179, 186problems with, 197subnetting of, 182–184translation of, 185–187WINS, 191–192

399Index


IP masquerading, 32IPC (Internet Printing Client), 100IPng Transition, 181IPSec (Internet Protocol Security),

18, 32, 185IPv6 (Internet Protocol version 6), 25–26,

29, 184ISA (Internet Security and Acceleration)

Server, 16–17iSCSI (Internet SCSI), 54ISDN (Integrated Services Digital

Network), 109, 364ISNS (Internet Storage Name Server), 100ISO (International Organization for

Standardization), 116ISPs (Internet Service Providers), 111–113Itanium-Based Systems, Windows Server

2008 for, 11

• J •jukebox devices, 248

• K •Kerberos, 134, 273kernels, 13Key Concept icons, 5keyboards, 291–292

• L •lab certification, 80–81LANs (local area networks), 58, 109large send offload (LSO), 29Last Known Good Configuration (LKGC),

359–360LDAP (Lightweight Directory Access

Protocol), 36, 117–120, 139LEDs (light-emitting diodes), 61legacy clients, 119light-emitting diodes (LEDs), 61Lightweight Directory Access Protocol

(LDAP), 36, 117–120, 139

lightweight filter (LWF) drivers, 29listener process, 15LKGC (Last Known Good Configuration),

359–360load-balancing, network, 16local area networks (LANs), 58, 109local backups, 246local profiles, 218logical printer assignments, 158–160logical printers, 156logon process, 225–226logs, 342–343Longhorn, 9, 126loopback addresses, 182low resolution video, 358–359LPR Port Monitor (LPM), 100LSO (large send offload), 29LWF (lightweight filter) drivers, 29

• M •managed entities, 346–347mandatory profiles, 219manual address allocation mode, 31manuals, installation, 77maps, network

capturing data, 49–50inventories, 50–52overview, 48–49updating, 52

masqueradingIP, 32network, 32

Massachusetts Institute of Technology(MIT), 134

master-slave relationships, 119media

backup, 248network

cable installation, 64–65fiber-optic and coax cables, 60–63overview, 57–59wireless, 63–64

media settings, 255–256



Member Of tab, 210memory

main system, 285–287random access (RAM), 376–377selecting and sizing

AMD servers, 317Intel servers, 299–300

server versus computer, 10memory modules, 309–311, 324–326memory registers, 376Message Queuing (MQ), 100methods, 228mice, 291–292Microsoft

hardware catalog, 81lab certification, 80–81troubleshooting resources, 385–387Web site, 2–3, 80, 148

Microsoft Application CompatibilityToolkit (ACT), 75, 294

Microsoft Developer Network, 370Microsoft Directory Synchronization

Services (MSDSS), 116Microsoft Exchange Server, 118Microsoft Forefront Security

Technologies, 17Microsoft Management Consoles

(MMCs), 16, 128, 144, 224Microsoft Small Business Center, 370MIT (Massachusetts Institute of

Technology), 134mixed mode domains, 131MMCs (Microsoft Management

Consoles), 16, 128, 144, 224modems, 112modes

AAM (Admin Approval Mode), 17automatic address allocation, 31directory restoration, 130domain operation, 131–132dynamic address allocation, 31manual address allocation, 31native, 131.NET, 131

monitoring tools, 344monitors, 78, 291–292motherboards, 298–299, 316–319,

374–375MPIO (Multipath I/O), 100MQ (Message Queuing), 100MSDSS (Microsoft Directory

Synchronization Services), 116multiboot systems, 74multi-homed computers, 185multimaster replication, 120–123,

141–144Multipath I/O (MPIO), 100multiple NICs, 23

• N •name services, 33names. See also Internet Protocol (IP)

addressesNetBIOS, 176–177overview, 175–176problems with, 368–369TCP/IP, 178–179

namespaces, 127, 134naming conventions, 207NAP (Network Access Protection), 18, 36,

64, 269, 365NAS (network attached storage) devices,

10–11NAT (Network Address Translation),

32–33, 179, 184–185native mode, 131NDIS (Network Driver Interface

Specification), 16, 28–30NDS (Novell Directory Services), 116–117nearline backups, 247.NET Framework 3.0, 99.NET interim mode, 131.NET mode, 131NetBIOS (Network Basic Input-Output

System), 118–119, 176–177, 191–193NetMon (Network Monitor), 367NetWare, 116

401Index


Network Access Protection (NAP), 18, 36,64, 269, 365

network adapters, 366–367, 383–384Network Address Translation (NAT),

32–33, 179, 184–185network addresses, 368–369network attached storage (NAS) devices,

10–11network backups, 245–246Network Basic Input-Output System

(NetBIOS), 118–119, 176–177,191–193

network connections, 318. See alsotransmission media

Network Connections Property page, 113Network Driver Interface Specification

(NDIS), 16, 28–30Network File System (NFS) Services, 101network IDs, 180–182Network Load Balancing (NLB), 16, 102network maps

capturing data, 49–50inventories, 50–52overview, 48–49updating, 52

network masquerading, 32network media


Network Monitor (NetMon), 367Network Monitor Tools check box, 367network name resolution, 14Network Operating System (NOS), 116Network Policy and Access Services

(NPAS), 98Network Policy Server (NPS), 37Network Printer Installation Wizard, 169network protocol stacks, 15, 23–24network segments, 180network shares, 235–236network visualization, 52

networksaccess to, 287–289backups of, 245–246design

basics, 42–45cables, 46checking installations, 47devices, 45–46equipment, 46evaluation, 47–48guidelines, 42–45implementation plan, 39–42interfaces, 52–55maps, 49–52overview, 39

devices for, 45–46drivers, 15educating users of, 267–268installing Windows Server across, 75,

87–88, 356ports, 44security

accounts policies, 223–224common weaknesses, 277–279education, 267–268features, 13, 16–18maintaining, 279overview, 263–264passwords, 270–274physical access, 264–267service packs, 274–275user access, 275–277usernames, 269–270

NewReno algorithm, 27Next Generation TCP/IP stack, 24–27NFS (Network File System) Services, 101NICs (network interface cards)

versus built-ins, 52–54cabling needs, 58inventory of, 51minimum requirements, 354–355multiple, 23

NLB (Network Load Balancing), 16, 102



noises, hardware, 336normal backups, 244NOS (Network Operating System), 116notebook theft, 266–267notification area, 89Novell Directory Services (NDS), 116–117Novell NetWare, 116NPAS (Network Policy and Access

Services), 98NPS (Network Policy Server), 37nslookup tool, 197NT 4.0, 118–119ntbackup program, 251–254NTFS file systems, 230–233, 250

• O •object permissions, 229object replication, 143object-oriented, 230–231objects, 228–230octets, 180odors, hardware heating, 336offline backups, 247offloading protocol processing, 27–29online backups, 247Open Packaging Conventions (OPC), 155operating environments, protecting,

264–266operating systems (OS), 85–87, 314,

329–330operations master roles, 120, 138–139optical disks, 312–313, 328–329optical drives, 291–292optimization, server

disabling unnecessary services, 348disk defragmentation, 349managed entities, 346–347overview, 346turning off Indexing Service, 348

Options button, 220Organization tab, 210organizational units (OUs), 126, 129,

145–146, 204, 239

originating updates, 141OS (operating systems), 85–87, 314,

329–330OUs (organizational units), 126, 129,

145–146, 204, 239

• P •P2P (peer-to-peer) relationships, 22–23,

120, 138Packet Internet Groper (ping)

command, 55Password Policy, 271–272passwords, 223–225, 270–274patch releases, 274PDC (primary domain controller),

119–121, 137PDC emulator, 120, 139PE (Preinstallation Environment), 360Peer Name Resolution Protocol (PRNP),

100peer-to-peer (P2P) relationships, 22–23,

120, 138performance, evaluating, 47–48Performance Monitor tool, 344peripheral input devices, 292permissions

access control, 239–240AD, 149–150advanced, 233–234calculating, 236–238defined, 202explicit, 150–151FAT and FAT32 file systems, 234inherited, 150–151NTFS, 232–233and objects and rights, 228–230overview, 229–230printer, 229share, 235–236shortcuts, 238

perpendicular magnetic recording (PMR)hard disks, 318

physical print devices, 158

403Index


ping (Packet Internet Groper)command, 55

ping tool, 197plenum-rated cables, 65plenums, 65PMC (Print Management Console), 169PMR (perpendicular magnetic recording)

hard disks, 318PRNP (Peer Name Resolution

Protocol), 100Point-to-Point Protocol (PPP) feature,

113, 272Point-to-Point Tunneling Protocol (PPTP)

feature, 113policy-based controls, 36–37pooling, print device, 158–160Ports tab, 170POST (Power-On Self-Test), 313, 329post-installation tasks, 88–90, 361power supplies, 289–290, 302, 318power supply units (PSUs), 285, 289–290,

304–305, 318–320Power-On Self-Test (POST), 313, 329PowerShell, 13, 102PPP (Point-to-Point Protocol) feature,

113, 272PPTP (Point-to-Point Tunneling Protocol)

feature, 113Preboot Extension Environment (PXE), 88Preinstallation Environment (PE), 360preinstallation tasks, 75–76primary domain controller (PDC),

119–121, 137principle of least privilege, 275print devices

attaching to print servers, 164–166attaching to servers, 162–164attaching to workstation PCs, 166–167drivers, 156installing, 160managing, 169memory, 169overview, 158, 161–162pooling, 158–160

Printers folder, 171–172sharing, 167–168

print jobs, 157Print Management Console (PMC), 169print models

devices, 158logical assignments, 158–160overview, 156–157

print process, 156print queues, 157print servers, 157, 164–166Print Services (PS), 98print users, 156printer access, sharing, 167–168printer permissions, 229Printer Set Up Wizard, 162–163printers, 156. See also print devicesPrinters and Faxes folder, 166–168Printers folder, 160–161printing. See also print devices

faxing, 172–174installing on servers, 160–161overview, 155–156print model

devices, 158logical assignments, 158–160overview, 156–157

problems, 171–172setting up on client side, 168sharing printer access, 167–168Windows 2008–based printers, 169–171

private IP addresses, 179processors, 284–285, 298–299, 375–376production systems, 250Profile tab, 208–209propagation-dampening schemes, 124property replication, 143property version numbers (PVNs), 124property-based inheritance, 239–240protocol stacks, 15, 23–24proxy servers, 186–187PS (Print Services), 98PSUs (power supply units), 285, 289–290,

304–305, 318–320



publications, Windows Server, 387–389pushing installations, 75push/pull concept, 22, 33PVNs (property version numbers), 124PXE (Preboot Extension Environment), 88

• Q •Quality of Service (QoS), 13, 25–26Quality Windows Audio/Video

Experience (qWave), 101

• R •RA (Remote Assistance), 101RADIUS (Remote Authentication Dial-In

User Service), 37, 114RAID (redundant arrays of inexpensive

disks)building, 381–383documenting, 250overview, 286–288, 377–378planning for, 301

Raise Domain Functionality dialog box,131–132

random access memory (RAM)overview, 376–377seating modules, 309–311, 324–326

RAS (Remote Access Services),79, 109, 202

RD (Recovery Disc) utility, 101RDC (Remote Desktop Connection),

34, 37RDMA (Remote Direct Memory

Access), 54RDP (Remote Desktop Protocol),

34, 37, 95RE (Recovery Environment), 359–360read-only domain controller (RODC),

103, 269receive window auto-tuning, 25–26receive window size, 25receive-side scaling, 29–30Recovery Disc (RD) utility, 101

Recovery Environment (RE), 359–360redundancy, 23, 37redundant arrays of inexpensive disks

(RAID)building, 381–383documenting, 250overview, 286–288, 377–378planning for, 301

registered ECC, 376Relative ID (RID) master, 139Reliability Monitor, 344–345Remember icons, 5Remote Access Services (RAS),

79, 109, 202Remote Assistance (RA), 101Remote Authentication Dial-In User

Service (RADIUS), 37, 114Remote Desktop Connection (RDC),

34, 37Remote Desktop Protocol (RDP),

34, 37, 95Remote Direct Memory Access

(RDMA), 54Remote Installation Service (RIS), 75, 88Remote Server Administration Tools

(RSAT), 97, 101Removable Storage Manager (RSM),

101, 251replicated updates, 141replication, 122–124, 141–144replication cycles, 123, 139, 141–143Requests for Comments (RFCs), 134resources, third-party Windows Server,

389–390RFCs (Requests for Comments), 134RID (Relative ID) master, 139RIS (Remote Installation Service), 75, 88roaming profiles, 217–219RODC (read-only domain controller),

103, 269root domains, 122round trip time (RTT), 27route tool, 197routers, 54, 180, 185

405Index


Routing and Remote Accessmanagement console, 109–111

routing capability, 109, 364–365RSAT (Remote Server Administration

Tools), 97, 101RSM (Removable Storage Manager),

101, 251RTT (round trip time), 27

• S •SACK (Selective Acknowledgement)

option, 27SAM (Security Accounts Manager),

118–119, 140SAN (storage area networks), 11, 246SATA (Serial Advanced Technology

Attachment) hard drivescontrollers

overview, 377–378versus SCSI controllers, 379–381

local backup, 246overview, 377–380

scanning, 172–174schemas, 124–125, 138–139SCSI (Small Computer System Interface)

hard drivescontrollers

overview, 377–378versus SATA controllers, 379–381

drivers, 78local backup, 246overview, 377–379

Search components, 148secure sockets layer (SSL), 17, 185Security Accounts Manager (SAM),

118–119, 140security groups, 212Security Log, 224security, network

accounts policies, 223–224common weaknesses, 277–279education, 267–268features, 13, 16–18

maintaining, 279overview, 263–264passwords, 270–274physical access, 264–267resources, 279service packs, 274–275user access, 275–277usernames, 269–270

security policies, 267–268Security Reference Monitor (SRM), 230Security tab, 150, 170segments

cable, 69network, 180

Selective Acknowledgement (SACK)option, 27

sequence identifiers, 29Serial Advanced Technology Attachment

(SATA) hard drivescontrollers

overview, 377–378versus SCSI controllers, 379–381

local backup, 246overview, 377–380

Serial Line Internet Protocol (SLIP)feature, 113

Server 2008basics of, 18–19DVD-ROM, 75, 360–361editions of, 11–12minimum requirements for, 354networking features

overview, 14security, 16–18Server Manager, 16server services, 14–16

online resources, 386–387overview, 9–11problems, 332–337publications, 387–389reasons to use, 12–14security features, 269third-party resources, 389–390utilities, 81



server clusters, 15–16Server Core installation option, 284Server Manager application

directory trees and forests, 103–108features, 99–102overview, 12–13, 16, 96–103server roles, 97–99WMS, 108–109

server networkingversus client networking, 21–23enhancement of

NDIS, 28–30Next Generation TCP/IP stack, 24–27offloading protocol processing, 27–28overview, 24TCP Chimney, 28

multiple NICs, 23overview, 21–38services

client preferences, 30–35enterprise preferences, 35–38overview, 30

server optimizationdisabling unnecessary services, 348disk defragmentation, 349managed entities, 346–347overview, 346turning off Indexing Service, 348

server roleslist of, 97–99overview, 95–96

serverscases, 289–290components of, 291–292graphics, 291hardware, 9–10, 293memory, 285–286

prices, 377selecting and sizing, 299–300, 317server versus computer, 10

motherboards, 374–375network access, 287–289overview, 284power supply, 289–290

preparing for installation, 82processors, 284–285, 375–376RAID, 286–287setting up, 104–108WINS, 192

service applications, 15Service Hardening, 17Service logs, 343service packs, 89–90, 274–275services

defined, 228disabling, 348

Services tool, 367–368session serialization, 29Setup logs, 342–343setup process, 78–79, 82–85share system volume (SYSVOL), 130–131shared system memory, 366SharePoint Services, 35shares

administrative, 277–278file, 227network, 235–236

sharing printer access, 167–168Sharing tab, 170Shiva Password Authentication Protocol

(SPAP), 272shopping, PC component, 293–294Simple Mail Transfer Protocol

(SMTP), 101sites, 127–129, 141SLIP (Serial Line Internet Protocol)

feature, 113Small Business Center, Microsoft, 370Small Computer System Interface (SCSI)

hard drivescontrollers

overview, 377–378versus SATA controllers, 379–381

drivers, 78local backup, 246overview, 377–379

smart cards, 114smells, hardware heating, 336

407Index


SMTP (Simple Mail TransferProtocol), 101

softwarebackup, 248–249deployment, 37–38installation, 77–78

SPAP (Shiva Password AuthenticationProtocol), 272

splicing cables, 61spooling, print job, 157, 169SRM (Security Reference Monitor), 230SSL (secure sockets layer), 17, 185stacks, network protocol, 15, 23–24staged backbones, 43Standard Edition, Windows Server

2008, 11static discharge, 303static model, 240storage area networks (SAN), 11, 246Storage Server 2008, 11striping, 382–383subnet masks, 182–183subnetting, 182–184Super Video Graphics Array (SVGA)

monitors, 78support, troubleshooting, 369–370SVGA (Super Video Graphics Array)

monitors, 78Syspart utility, 357Sysprep utility, 357system drives, 378system partitions, 378system testing, 47system tray, 89system volumes, 378SYSVOL (share system volume), 130–131

• T •tabs

Account, 208Address, 208Advanced, 170Cartridge Maintenance, 170

Color Management, 170Device Settings, 170Dial-in, 211Effective Permissions, 238General, 170, 208Group Policy, 220Member Of, 210Organization, 210Ports, 170Profile, 208–209Security, 150, 170Sharing, 170Telephones, 210

tape backup systems, 249–250, 258–260targets, 254–255TCP Chimney feature, 28TCP/IP (Transmission Control

Protocol/Internet Protocol)configuring requirements, 187–191names, 178–179NetBIOS, 193problems, 197resources, 196toolkits, 365–366

TCP/IP Offload Engine (TOE) cards, 54,302, 318, 366, 383–384

TechNet CD, 370Technical Stuff icons, 6technology. See componentsTelephones tab, 210Telnet application services, 15Telnet Client, 101Telnet Server, 101telnet tool, 197Terminal Services (TS), 33–35, 98test plans, 40–42TFTP (Trivial File Transfer Protocol), 101thermal paste, 308–309, 323third-party backup packages, 258third-party Windows Server resources,

389–390threats, data, 242–243throughput, 59time stamps, 124



Tip icon, 6TOE (TCP/IP Offload Engine) cards, 54,

302, 318, 366, 383–384top-level domains, 178TPM (Trusted Platform Module), 17tracert tool, 197transceivers, 61Transmission Control Protocol/Internet

Protocol (TCP/IP)configuring requirements, 187–191names, 178–179NetBIOS, 193problems, 197resources, 196toolkits, 365–366

transmission mediabackbones, 69–70bandwidths, 65–68network media


overview, 57transparent infrastructure, 30trees

directory, 103–104domain, 122, 134–135

Trivial File Transfer Protocol (TFTP), 101troubleshooting

hardware and software updates, 340–341network

hardware problems, 364names and addresses, 368–369network adapters, 366–367Network Monitor, 367overview, 363preventing problems, 370recent changes, 369routing, 364–365Services tool, 367–368support for, 369–370TCP/IP toolkits, 365–366

overview, 331–332

resources forMicrosoft, 385–387overview, 385publications, 387–389third-party sources, 389–390

run-time issuesGroup Policy infrastructure, 338overview, 337printing infrastructure, 338–339User Account Control, 337–338

Server ManagerEvent Viewer, 341–343overview, 341Performance Diagnostics, 343–345Services, 343

setup failuresoverview, 332restart failure, 333unavailable partition, 332–333

startup errors, 335–336startup failures

corrupt file or volume, 334–335driver failure, 334hardware failure, 334malware or viral infection, 335misconfigured settings, 335

Windows activation, 339–340trust relationships, 120, 133–134, 140,

152–154Trusted Platform Module (TPM), 17TS (Terminal Services), 33–35, 98twisted-pair cables, 59two-way transitive trusts, 104

• U •UAC (User Account Control), 17, 337UDDI (Universal Description, Discovery,

and Integration), 99unattended installation, 37, 92, 356–357unauthenticated access, 16Uniform Resource Locators (URLs), 178uninterruptible power supply (UPS)

devices, 76, 265, 290

409Index


unitsbackup, 247–248organizational (OUs), 126, 129, 145–146,

204, 239Universal Description, Discovery, and

Integration (UDDI), 99universal groups, 131, 213unshielded twisted pair (UTP) cables, 61update sequence numbers (USNs),

123–124upgrade installation, 73–74UPS (uninterruptible power supply)

devices, 76, 265, 290up-to-date vectors, 124URLs (Uniform Resource Locators), 178user access, 275–277User Account Control (UAC), 17, 337user account objects, 201user accounts

managing, 211properties, 201–204

User Creation Wizard, 146–147user objects, 146–147user profiles, 217–219user rights, 202, 229–230, 276–277usernames, 269–270, 278USNs (update sequence numbers),

123–124UTP (unshielded twisted pair) cables, 61

• V •VeriSign domain name registrar, 178–179VGA (Video Graphics Array) monitors, 78Video Graphics Array (VGA) monitors, 78video, low resolution, 358–359virtual private networks (VPNs), 17virtualization capability, 14, 115, 292–293viruses, 242–243Visio application, 52Vista, 9Vista Upgrade Advisor, 294visualization, network, 52volumes, 254–255VPNs (virtual private networks), 17

• W •WANs (wide area networks), 57, 109, 127Warning icons, 6WCF (Windows Communication

Foundation) Web Services, 34WDS (Windows Deployment Services), 99Web Edition, Windows Server 2008, 11Web Server, 11, 35, 79, 99, 108–109Web-based services, 35WER (Windows Error Reporting), 345WID (Windows Internal Database), 102wide area networks (WANs), 57, 109, 127WIF (Windows Imaging Format), 38,

359–361WiFi (wireless) devices, 63–64Wi-Fi Protected Access 2 (WPA2), 64Windows Communication Foundation

(WCF) Web Services, 34Windows Deployment Services (WDS), 99Windows Fax and Scan applet, 172–174Windows Firewall, 18, 95, 187, 365Windows Imaging Format (WIF), 38,

359–361Windows Indexing Service, 348Windows Internal Database (WID), 102Windows Internet Name Service (WINS),

33, 102, 178, 191–193Windows Management Instrumentation

(WMI) enhancements, 16Windows Media Services (WMS), 108–109Windows NT 4.0, 118–119Windows PowerShell, 13, 102Windows Preinstallation Environment

(PE), 360Windows Process Activation Service

(WPAS), 102Windows Recovery Environment

(Windows RE), 359–360Windows Server 2008. See also Active

Directorybasics of, 18–19DVD-ROM, 75, 360–361editions of, 11–12



minimum requirements for, 354networking features

overview, 14security, 16–18Server Manager, 16server services, 14–16

online resources, 386–387overview, 9–11problems, 332–337publications, 387–389reasons to use, 12–14security features, 269third-party resources, 389–390utilities, 81

Windows Server Backup (WSB) facilitycommand line backups, 253–254destinations, 255–256media settings, 255–256overview, 102, 251–253scheduling jobs, 256targets, 254–255volumes, 254–255

Windows Server Catalog, 355Windows Server Virtualization, 14, 115,

292–293Windows Service Hardening, 17Windows SharePoint Services (WSP), 99Windows Storage Server 2008, 11Windows System Resource Manager

(WSRM), 102Windows Vista features, 9WINS (Windows Internet Name Service),

33, 102, 178, 191–193

wireless (WiFi) devices, 63–64Wireless LAN (WLAN) Service, 102wireless networks, 63–64wiring systems, 59WLAN (Wireless LAN) Service, 102WMI (Windows Management

Instrumentation) enhancements, 16WMS (Windows Media Services),

108–109WPA2 (Wi-Fi Protected Access 2), 64WPAS (Windows Process Activation

Service), 102WSB (Windows Server Backup) facility


WSB facility. See Windows Server Backup(WSB) facility

WSP (Windows SharePoint Services), 99WSRM (Windows System Resource

Manager), 102

• X •X.500 directory, 116–118, 121XML (eXtensible Markup Language)

services, 11XPS (XML Paper Specification), 155

411Index


BUSINESS, CAREERS & PERSONAL FINANCE

Also available:Business Plans Kit For Dummies 0-7645-9794-9Economics For Dummies 0-7645-5726-2Grant Writing For Dummies0-7645-8416-2Home Buying For Dummies 0-7645-5331-3Managing For Dummies 0-7645-1771-6Marketing For Dummies 0-7645-5600-2

Personal Finance For Dummies 0-7645-2590-5*Resumes For Dummies 0-7645-5471-9Selling For Dummies 0-7645-5363-1Six Sigma For Dummies 0-7645-6798-5Small Business Kit For Dummies 0-7645-5984-2Starting an eBay Business For Dummies 0-7645-6924-4Your Dream Career For Dummies 0-7645-9795-7

0-7645-9847-3 0-7645-2431-3

Also available:Candy Making For Dummies0-7645-9734-5Card Games For Dummies 0-7645-9910-0Crocheting For Dummies 0-7645-4151-XDog Training For Dummies 0-7645-8418-9Healthy Carb Cookbook For Dummies 0-7645-8476-6Home Maintenance For Dummies 0-7645-5215-5

Horses For Dummies 0-7645-9797-3Jewelry Making & Beading For Dummies 0-7645-2571-9Orchids For Dummies 0-7645-6759-4Puppies For Dummies 0-7645-5255-4Rock Guitar For Dummies 0-7645-5356-9Sewing For Dummies 0-7645-6847-7Singing For Dummies 0-7645-2475-5

FOOD, HOME, GARDEN, HOBBIES, MUSIC & PETS

0-7645-8404-9 0-7645-9904-6

Available wherever books are sold. For more information or to order direct: U.S. customers visit www.dummies.com or call 1-877-762-2974. U.K. customers visit www.wileyeurope.com or call 0800 243407. Canadian customers visit www.wiley.ca or call 1-800-567-4797.

HOME & BUSINESS COMPUTER BASICS

Also available:Cleaning Windows Vista For Dummies 0-471-78293-9Excel 2007 For Dummies0-470-03737-7Mac OS X Tiger For Dummies 0-7645-7675-5MacBook For Dummies 0-470-04859-XMacs For Dummies 0-470-04849-2Office 2007 For Dummies0-470-00923-3

Outlook 2007 For Dummies0-470-03830-6PCs For Dummies 0-7645-8958-XSalesforce.com For Dummies 0-470-04893-XUpgrading & Fixing Laptops For Dummies 0-7645-8959-8Word 2007 For Dummies 0-470-03658-3Quicken 2007 For Dummies 0-470-04600-7

0-470-05432-8 0-471-75421-8

Also available:Blogging For Dummies 0-471-77084-1Digital Photography For Dummies0-7645-9802-3Digital Photography All-in-One Desk Reference For Dummies0-470-03743-1Digital SLR Cameras and Photography For Dummies0-7645-9803-1eBay Business All-in-One Desk Reference For Dummies0-7645-8438-3HDTV For Dummies 0-470-09673-X

Home Entertainment PCs For Dummies 0-470-05523-5MySpace For Dummies 0-470-09529-6Search Engine Optimization For Dummies0-471-97998-8Skype For Dummies 0-470-04891-3The Internet For Dummies 0-7645-8996-2Wiring Your Digital Home For Dummies 0-471-91830-X

INTERNET & DIGITAL MEDIA

0-470-04529-9 0-470-04894-8

* Separate Canadian edition also available† Separate U.K. edition also available

33_180433 badvert01.qxp 2/25/08 7:54 PM Page 413

Also available:3D Game Animation For Dummies 0-7645-8789-7AutoCAD 2006 For Dummies 0-7645-8925-3Building a Web Site For Dummies 0-7645-7144-3Creating Web Pages For Dummies 0-470-08030-2Creating Web Pages All-in-One Desk Reference For Dummies 0-7645-4345-8Dreamweaver 8 For Dummies 0-7645-9649-7

InDesign CS2 For Dummies 0-7645-9572-5Macromedia Flash 8 For Dummies 0-7645-9691-8Photoshop CS2 and Digital Photography For Dummies 0-7645-9580-6Photoshop Elements 4 For Dummies 0-471-77483-9Syndicating Web Sites with RSS Feeds For Dummies 0-7645-8848-6Yahoo! SiteBuilder For Dummies 0-7645-9800-7

SPORTS, FITNESS, PARENTING, RELIGION & SPIRITUALITY

Also available:Catholicism For Dummies 0-7645-5391-7Exercise Balls For Dummies 0-7645-5623-1Fitness For Dummies 0-7645-7851-0Football For Dummies 0-7645-3936-1Judaism For Dummies 0-7645-5299-6Potty Training For Dummies 0-7645-5417-4Buddhism For Dummies 0-7645-5359-3

Pregnancy For Dummies 0-7645-4483-7 †Ten Minute Tone-Ups For Dummies 0-7645-7207-5NASCAR For Dummies 0-7645-7681-XReligion For Dummies 0-7645-5264-3Soccer For Dummies 0-7645-5229-5Women in the Bible For Dummies 0-7645-8475-8

Also available:Alaska For Dummies 0-7645-7746-8Cruise Vacations For Dummies 0-7645-6941-4England For Dummies 0-7645-4276-1Europe For Dummies 0-7645-7529-5Germany For Dummies 0-7645-7823-5Hawaii For Dummies 0-7645-7402-7

Italy For Dummies 0-7645-7386-1Las Vegas For Dummies 0-7645-7382-9London For Dummies 0-7645-4277-XParis For Dummies 0-7645-7630-5RV Vacations For Dummies 0-7645-4442-XWalt Disney World & Orlando For Dummies 0-7645-9660-8

TRAVEL

GRAPHICS, DESIGN & WEB DEVELOPMENT

0-471-76871-5 0-7645-7841-3

0-7645-7749-2 0-7645-6945-7

0-7645-8815-X 0-7645-9571-7

Also available:Access 2007 For Dummies 0-470-04612-0ASP.NET 2 For Dummies 0-7645-7907-XC# 2005 For Dummies 0-7645-9704-3Hacking For Dummies 0-470-05235-XHacking Wireless Networks For Dummies 0-7645-9730-2Java For Dummies 0-470-08716-1

Microsoft SQL Server 2005 For Dummies 0-7645-7755-7Networking All-in-One Desk Reference For Dummies 0-7645-9939-9Preventing Identity Theft For Dummies 0-7645-7336-5Telecom For Dummies 0-471-77085-XVisual Studio 2005 All-in-One Desk Reference For Dummies 0-7645-9775-2XML For Dummies 0-7645-8845-1

NETWORKING, SECURITY, PROGRAMMING & DATABASES

0-7645-7728-X 0-471-74940-0

33_180433 badvert01.qxp 2/25/08 7:54 PM Page 414